A friend tells me that he uses Basic authentication of IIS for authentication of his web app. This system uses Kerberos too, but how can Basic Authentication and Kerberos work together?! I know that Basic Authentication sent password in Base64 (like cleartext), and Kerberos doesn't send the password across the network, it uses a ticket system. So, how can Kerberos intregrate with Basic authentication?

  • 37,618
  • 10
  • 90
  • 145
  • 81
  • 1
  • 9

2 Answers2


I think what the application must be doing is prompting the user for a username and password, and then using that to authenticate against some back-end Kerberos system. At this point, the web app can impersonate the user and connect to other resources as necessary. Microsoft has a brief writeup of this technique here.

I don't think it's a great idea in general, as the user now has to trust the web server not to stash his password and/or impersonate him in unwanted ways. With a pure Kerberos setup, the user can be confident that the web server is who it claims to be, and limit delegation, without revealing his password to anyone. However, firewalls, the internet, and various other factors often make it attractive or necessary to use Basic authentication instead of pure Kerberos.

  • 1,290
  • 2
  • 14
  • 26
  • ISA or Forefront does something like this, an HTTPS anonymous form authentication that turns into a kerberos ticket. – Gabriel Guimarães Mar 25 '11 at 14:53
  • 1
    @Gabriel, saying it "turns into a kerberos ticket" is a bit simplistic; FFTMG acts as a kerberos delegate, impersonating the authenticated user and requesting the TGT on their behalf. – Chris S Mar 25 '11 at 15:01

Most web applications use basic authentication, also known as forms-based authentication, typically with SSL to secure the credentials. The only time you would use Integrated authentication is on an Intranet site (SharePoint is a well-known example of something that can leverage integrated authentication). Integrated authentication sounds fantastic, but it can be tricky to get working properly and keep it working reliably. Forms-based authentication is typically more reliable.

The webserver takes the credentials supplied by the user, and authenticates with Active Directory on their behalf using ... Kerberos. If the web application needs to impersonate the user and access resources external to the IIS server (a common scenario), Kerberos authentication is required. (I.e., NTLM authentication will not work in that impersonation scenario).

Greg Askew
  • 34,339
  • 3
  • 52
  • 81
  • Basic auth is not Forms auth, authentication is the proccess of identifying an user, on the server side its done on the first request, forms based auth happens after the first request, so the user is already identified as anonymous. Basic auth happens when you receive a prompt for username and password. – Gabriel Guimarães Mar 25 '11 at 15:04
  • Basic authentication is anything that is not: Anonymous, Integrated, Digest, or .NET Passport. And that would include forms authentication. – Greg Askew Mar 25 '11 at 15:11