Allow login to app using IIS only for some users

asked 2020-09-12T02:17:50.65+00:00
Susja 236 Reputation points

I have an app, e.g. SL. It's running on Web Server using IIS.
SL has it's own authentication method.
I don't want that any user with SL account be able to login. I want only those accounts that have Windows Authentication.
My goal: 1. create account for SL for a few users 2. enable Windows Authentication in IIS 3. list those users in IIS
My expectation: only users listed in IIS will be able to login into SL
I don't want to change web.config directly.
Could I use the Authorization Rules option: (see attachment)24222-authorization-rules.png


Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,296 questions
No comments
{count} votes

7 answers

Sort by: Most helpful
  1. answered 2020-09-12T19:59:47.497+00:00
    Dave Patrick 328.6K Reputation points Microsoft MVP

    You'll find the IIS experts over here in dedicated forums.

    --please don't forget to Accept as answer if the reply is helpful--

    No comments

  2. answered 2020-09-15T09:25:24.75+00:00
    Vicky Wang 2,541 Reputation points

    Thank you for posting in our forum
    》》》My assumption is: if win_user01 wouldn't be granted access to 'directory 'he would fail to login. Is it correct?
    According to knowledge, this is ok
    Hope this information can help you
    Best wishes

    No comments

  3. answered 2020-09-12T16:31:19.723+00:00
    Susja 236 Reputation points

    Well .. the option I attached above I took from IIS 7.5 running on Windows 2008 R2.
    In my case I have Window 2016 and IIS 10.0. It does not have "Authorization Rules" in IIS Section. It has "Authorization Rules" only in ASP.NET section.
    Could you advice please how to handle my issue in IIS 10.0 ?

    No comments

  4. answered 2020-09-12T18:59:29.403+00:00
    Susja 236 Reputation points

    I added to web.config element
    <allow users="abc\user1, abc\user2"/>
    <deny users="?"/>

    But I've got 404 Error. What I did wrong?

    No comments

  5. answered 2020-09-13T01:29:18.543+00:00
    Susja 236 Reputation points

    @Dave Patrick - thanks for heads-up. I asked my question on that forum

    P.S. Since modifying web.config did not work for me I tried another approach.

    1. I created a user on app SL e.g. user1
    2. I changed Authentication in IIS and set it for 'Windows Authentication" enabled
    3. I went to security Tab of directory where my site is located e.g. C:\inetpub\wwwroot\app and added user e.g. win_user01 and granted read, list folders and execute permission.

    Is my expectation of workflow correct:
    user win_user01 is a valid user of our network hence when he'll login into his client 'Windows Authentication" will be in place.
    Next .. he opens the browser e.g. Chrome and tries to connect to SL app. He will have to provide user1 creds and be able to login.
    My assumption is: if win_user01 wouldn't be granted access to 'directory 'he would fail to login. Is it correct?
    In other words … only users that are added to directory and granted permission will be able to login into application. Is it correct?

    No comments