Password Protecting an IIS7 Website with Windows Authentication

Question

User1377711870 posted

We would like to password protect a wordpress (php application) website hosted on windows 2008/IIS7 using Windows Authentication. More specifically we want to grant a single active directory security group privelages to login.

I believe all that was necessary in IIS5/6 was to remove anonymous authentication from the IIS website (directory security), and then reset the file system ACLs to grant the specific Active Directory Group permission to the folder in question.

I've tried the equivalent in IIS7 using a functioning password protected IIS6 website/folders as a guide but cannot get it to work. Here is what I get:

- Locally on the server I cannot login using any domain account.
- Remotely I can login using ANY domain account but the file system ACLs are set in a way that I would have expected only members of the specific AD group should be able to login.

I'm pulling my hair out trying to figure this out. I've searched google a well as these forms and can't find a good guide to setting this up. All I can find are posts and webpages related to "forms authentication" and how to enable the "windows authentication" option in IIS7 - which I already have.

Can someone clue me in on what I might need to do to get this working right? Or what I am missing.

Thanks!
Brad 

Answer 1

User511787461 posted

Using url-authorization rules in web.config files may be more portable approach than using file ACLs.  process-monitor may help you figure out if the user you think is opening the file is actually the one opening it.

Answer 2

User1377711870 posted

I did actually give that a try as well and couldn't figure out how to make it work (or even if it was supposed to work as I was using a PHP application and wasn't sure web.config files applied to non asp/asp.net sites. From your post I assume that it does.

 Any guidance/suggestions on what I would put in the web.config? I tried several things the most recent iteration was the following:

         <security>
            <authorization>
                <remove users="*" roles="" verbs="" />
                <add accessType="Allow" users="domain\security group" />
                <add accessType="Deny" users="?" />
            </authorization>
        </security>

Answer 3

User1377711870 posted

I still can't get the web.config approach to work but I did learn some useful things during my searching:

• * = anonymous users ? = authenticated users
• Rules evaluated from Parent-level first, Deny rules first.

So in the example above using ? (authenticated users) isn't what I want. And I also need to make sure my deny rules go above my allow rules. Even still my site isn't authenticating as expected.

I thought perhaps my problem was the space in the "security group" name so I created a new group without a space - that made no improvement.

 <add accessType="Deny" users="*" />
 <add accessType="Allow" users="domain\securitygroup" />

 I am sure this is meant to be easier - but given that its not working, and I'm not finding a great deal of documentation explaining how its supposed to work I'm quite frustrated. I'm tempted to open a case with Microsoft but I hate to spend the money on something so trivial.

 If anyone else has this working and can fill me in on what I'm doing wrong I'd surely appreciate it.

Thanks
Brad

Answer 4

User1377711870 posted

I made some progress... the following seems to work REMOTELY:

            <authorization>
                <remove users="*" roles="" verbs="" />
                <add accessType="Allow" users="" roles="domain\security group" />
            </authorization>

It does not work LOCALLY though - and I'm not sure why. Getting this working locally is not a huge priority but if someone happens to know why I'd sure love to know :)

Thanks
Brad

Also noteworthy is that there is:
- ASP.NET URL Authorization
- IIS 7.0 URL Authorization

Which both use the web.config file. You can learn more about the two here:
http://learn.iis.net/page.aspx/142/understanding-iis-7-url-authorization/#Differences

Just to be clear my comments above are regarding IIS 7.0 URL Authorization.

Answer 5

User511787461 posted

* = All Users, ? = anonymous user.  Can you collect failed request trace for the local/remote requests and compare the working/non-working case?  Is it authorization that is not working or authentication that is not working?

Answer 6

User962499453 posted

I have the SAME problem with Forms Auhentication.