IIS 7.5 basic authentication and Active Directory validation

Basic authentication will work just fine for authenticating against AD - it authenticates against the IIS server's local account database; for a domain member, that includes the Active Directory domains in the forest that it's joined to.

You'll not get any kind of kerberos ticket in return - basic auth simply includes the password in the header of requests sent to the server, and the server does with it what it will - returning either the requested resource or a 401 error.. but if you're looking for user identification within the web application within IIS, then that information (which user/domain they authenticated as) should be available to the code.

Browsers will keep the entered password in memory for the life of the session, so you'll be covered for subsequent requests to that server, but not for any access to other systems or services.

There's information about configuring basic auth, including configuring the default domain and the prompt that users receive, here.


Okay, so an answer's been accepted, but I'm going to say in general:

Don't use Basic.

If there's a question for which Basic-with-domain-credentials seems like it's the right answer, it's almost always not.

Use Integrated Authentication.

Basic allows a malicious web developer to learn a user's AD credentials, and then it's game over.

Integrated allows the user to authenticate that they are who they say they are, and allows the use of Constrained Delegation to limit what a web developer can do with the token. It doesn't directly expose the username and password to interception (if SSL is mis- (i.e. not-) configured, which happens all the freakin' time), and it doesn't allow someone with write access to the web server share to write simple web applications which intercept credentials.