1

I have an ASP.NET site running in IIS7 on a local intranet. I want to restrict access to this site to a specific group of users. I think I should be able to do this by using Windows Authentication within IIS, but I'm having trouble.

I've enabled the Windows Authentication feature of IIS, and I've enabled Windows Authentication on my site in inetmgr. I set authentication in the web.config for my site:

<authentication mode="Windows" />

From what I've read, this should be all I need to do... but nothing seems to happen. I tried restricting access by using directory security within windows, and was able to deny access to all users by removing read access on the directory. But I wasn't then able to restore access to the specific users required. It feels like IIS doesn't know who the user requesting the page is, as though it never actually did any authentication.

Am I missing something?

Uwe Keim
  • 2,370
  • 4
  • 29
  • 46
Mike
  • 203
  • 3
  • 5

2 Answers2

1

Can't comment - sorry.

Based on this "allow Element for authorization", you should be able to specify each users like a groups. I.E.

<configuration>
  <system.web>
    <authorization>
      <allow users="DOMAIN/robert.real, DOMAIN/silvia.dell" \>
      <deny users="*" \>
    </authorization>
  </system.web>
</configuration>

You might also want to make that only Windows Authentication is allowed.

LMA1980
  • 11
  • 2
0

Open windows explorer on the server. Find the folder of the website and open properties. On the security tab remove all permissions and give read rights only to that domain group and it will work.

Hüseyin Yağlı
  • 151
  • 4