Here’s a short summary of steps to restrict access of an ASP.NET site to one or more specific Active Directory groups. The target environment is IIS 8.5 on Windows Server 2012 R2 – similar concepts may apply to other versions.
I’ll start with the config file excerpts that can be used by more advanced ASP.NET / IIS administrators.
<!-- web.config --> <configuration> <system.web> <authentication mode="Windows" /> <authorization> <allow roles="MYDOMAIN\MY-AD-GROUP" /> <deny users="*" /> </authorization> </system.web> </configuration>
<!-- applicationHost.config --> <configuration> <location path="YOUR-APP"> <system.webServer> <security> <authentication> <anonymousAuthentication enabled="false" /> <windowsAuthentication enabled="true" /> </authentication> </security> </system.webServer> </location> </configuration>
If you need to grant privileges on the filesystem to the ASP.NET app, use the new “IIS APPPOOL\AppName” special security principal within your NTFS permissions to grant access only to the specific ASP.NET app. The user picker will not show the IIS APPPOOL virtual accounts, so you will have to type the app pool name correctly – use “Check Names” button to verify that your app pool is typed correctly (name will become underlined). Unfortunately in the Windows file permissions “Security” tabs, the IIS App Pools are listed ONLY by name and the “IIS APPPOOL” part is hidden. To see the full usernames for folder or file permissions, use a command like “icacls”, or the Get-ACL cmdlet in PowerShell.
Here are some notes for configuring the same type of authentication settings within the IIS 8.5 GUI. Unfortunately all the settings needed aren’t in the same place within the IIS Manager GUI.
Open the ASP.NET Authorization tool for your app / site.
Use the “Add Allow Rule…” option to start a new authorization rule.
Select “Specified roles or user groups and type the full DOMAIN\GroupName then save the changes.
Use the “Add Deny Rule…” option to start a new authorization rule. Deny “All users” and save the changes. The order of these rules matters, the allow user group must appear in the list above the deny all rule.
Open the IIS Authentication tool for your app / site.
Disable all of the options other than “Windows Authentication” (Enabled).
Open the “Configuration Editor” for your app / site.
Navigate to the “system.web/authentication” section in Configuration Editor.
Set the authentication “mode” to “Windows” and save your changes.
Restart IIS to make sure your changes are applied and then test access – only users belonging to the permitted group should have access.