Password-Protect an IIS 7 Site
Configuration[edit]
1) Add Authorization Rule
- IIS Manager > Sites > my_site > IIS > Authorization Rules
- Add Allow Rule...
- Select Specified Users
- And the names of the users accounts that can access the site.
- Click OK to save.
Alternatively, Update Web.Config
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" users="damien" roles="" />
</authorization>
</security>
</system.webServer>
TODO: Figure out how to enable all windows accounts, or all accounts within a "web users" group or something.
ALSO: Figure out as an alternative ".Net Forms Authentication"
2) Configure Windows Authentication in IIS Manager
- IIS Manager > Server > Sites > the website to be password-protected > Authentication
- Anonymous Authentication > Enabled
- Windows Authentication: > Enabled / Response Type: HTTP 401 Challenge
3) If it seems like the login is going in an endless loop
- Click Start, click Run, type
regedit, and then click OK. - In Registry Editor, locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 - Right-click
MSV1_0, point to New, and then click Multi-String Value. - Type BackConnectionHostNames, and then press ENTER.
- Right-click BackConnectionHostNames, and then click Modify.
- In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.
- Quit Registry Editor, and then restart the IISAdmin service.
(Start > Administrative Tools > Services > IIS Admin Service > right click > restart)
source: MS KB 896861
Any new password-protected subdomains will need to be added to that registry key.
How to set the site back to allow anonymous access[edit]
1) IIS > [the_site] > IIS > Authentication
- Anonymous Authentication > Enabled
- Windows Authentication > Disabled
2) IIS > [the_site] > IIS > Authorization Rules
- Remove allow only the specific user rule
- Add Allow Rule... > All Users