IIS 6: The Complete Reference

When multiple authentication schemes are in use, IIS and the client’s browser will prefer certain authentication schemes over others. It attempts to use the authentication schemes in the following order:

• If Anonymous authentication is enabled, it is always attempted first. If Anonymous authentication fails or is disabled, one of the authenticated access methods is used.

• First, Integrated Windows authentication is tried if enabled and supported by the browser.

• If Integrated Windows authentication is not available, Digest or Advanced Digest authentication is used if enabled and supported.

• Finally, Basic authentication is used as a last resort.

You may have noticed that .NET Passport authentication is not listed. That’s the odd member of the bunch. If .NET Passport authentication is enabled, it disables all other forms of authenticated access (although Anonymous is still available).