Required IIS Authentication Settings

AB.

IIS authentication settings control how users are authenticated when they access web applications hosted on an IIS web server. When deploying vRealize Automation, two authentication settings must be enabled on the IIS web server hosting the IaaS components:

1. Windows Authentication Kernel Mode: This setting enables Windows Integrated Authentication (WIA) for IIS websites running on Windows Server 2008 and later. WIA allows clients to authenticate using their Windows credentials without prompting them for a username and password. Enabling Kernel mode allows the authentication to occur earlier in the request pipeline, which can improve performance.

2. Windows Authentication Extended Protection: This setting provides additional security for Windows Integrated Authentication by including a channel binding token (CBT) in the request header. The CBT is used to protect against man-in-the-middle attacks by binding the authentication process to the specific channel used for communication.

Option A, Negotiate Provider, is not a required setting for vRealize Automation IaaS web servers. The Negotiate provider uses the Security Support Provider Interface (SSPI) to negotiate the authentication protocol to use based on the client's capabilities and the server's configuration. This can include Kerberos or NTLM authentication protocols. While Negotiate is a useful feature for supporting a wide range of clients and authentication protocols, it is not required for vRealize Automation.

Option D, Anonymous Authentication, should be disabled for vRealize Automation IaaS web servers. Anonymous authentication allows users to access a website without providing any credentials. This can be useful for public websites, but is not appropriate for enterprise applications that require authentication and authorization. vRealize Automation requires authenticated access to ensure proper security and governance.