IIS 7.0: windowsAuthentication Element (IIS Settings Schema)

Specifies Windows authentication configuration.

configuration Element [IIS 7 Settings Schema]
  system.webServer Section Group [IIS 7 Settings Schema]
    IIS 7.0: security Element (IIS Settings Schema)
      IIS 7.0: authentication Element (IIS Settings Schema)
        IIS 7.0: windowsAuthentication Element (IIS Settings Schema)

<windowsAuthentication
   enabled="True|False"
   authPersistSingleRequest="True|False"
   AuthPersistNonNTLM="True | False"
   UseKernelMode
>
   <providers>...</providers>
</windowsAuthentication>

Attributes and Elements

The following sections describe attributes, child elements, and parent elements for this section.

Attributes

Attribute	Description
AuthPersistNonNTLM	Optional boolean attribute. Specifies whether IIS automatically re-authenticates every non-NTLM (for example, Kerberos) request, even those on the same connection. True enables multiple authentications for the same connections. The default is False. Note: A setting of False means that the client will be authenticated only once on the same connection. IIS will cache a token or ticket on the server for a TCP session that stays established.
authPersistSingleRequest	Optional Boolean attribute. Setting this flag to True specifies that authentication persists only for a single request on a connection. IIS resets the authentication at the end of each request, and forces re-authentication on the next request of the session. The default value is False.
enabled	Required Boolean attribute. Specifies whether Windows authentication is enabled. The default value is False.
useKernelMode	Optional Boolean attribute. Specifies whether Windows authentication is done in kernel mode. True specifies that Windows authentication uses kernel mode. Kernel-mode authentication may improve authentication performance and prevent authentication problems with application pools configured to use a custom identity. As a best practice, do not disable this setting if you use Kerberos authentication and have a custom identity on the application pool. The default is True.

Child Elements

Element	Description
providers	Optional element. Specifies security support providers used for Windows authentication.

Element

Description

providers

Optional element.

Specifies security support providers used for Windows authentication.

Parent Elements

Element	Description
configuration	Specifies the root element in every configuration file that is used by IIS 7.
system.webServer	Specifies the top-level section group (in ApplicationHost.config) in which this element is defined.
security	Specifies the section group that contains security-related sections.
authentication	Specifies the section group that contains authentication sections.

Remarks

Default Configuration

The following default <windowsAuthentication> element is configured in the root ApplicationHost.config file in IIS 7.

<windowsAuthentication enabled="false">
   <providers>
      <add value="Negotiate" />
      <add value="NTLM" />
   </providers>
</windowsAuthentication>

Element Information

Configuration locations

Machine.config

ApplicationHost.config

Root application Web.config

Application Web.config

Directory Web.config

Requirements

Microsoft Internet Information Services (IIS) version 7.0

Reference

IIS 7.0: providers Element for windowsAuthentication (IIS Settings Schema)