ASP.NET Restrict to Active Directory Group in IIS 8.5

Here’s a short summary of steps to restrict access of an ASP.NET site to one or more specific Active Directory groups. The target environment is IIS 8.5 on Windows Server 2012 R2 – similar concepts may apply to other versions.

I’ll start with the config file excerpts that can be used by more advanced ASP.NET / IIS administrators.

<!-- web.config -->
<configuration>
  <system.web>
    <authentication mode="Windows" />
    <authorization>
      <allow roles="MYDOMAIN\MY-AD-GROUP" />
      <deny users="*" />
    </authorization>
  </system.web>
</configuration>
<!-- applicationHost.config -->
<configuration>
  <location path="YOUR-APP">
    <system.webServer>
      <security>
        <authentication>
          <anonymousAuthentication enabled="false" />
          <windowsAuthentication enabled="true" />
        </authentication>
      </security>
    </system.webServer>
  </location>
</configuration>

If you need to grant privileges on the filesystem to the ASP.NET app, use the new “IIS APPPOOL\AppName” special security principal within your NTFS permissions to grant access only to the specific ASP.NET app. The user picker will not show the IIS APPPOOL virtual accounts, so you will have to type the app pool name correctly – use “Check Names” button to verify that your app pool is typed correctly (name will become underlined). Unfortunately in the Windows file permissions “Security” tabs, the IIS App Pools are listed ONLY by name and the “IIS APPPOOL” part is hidden. To see the full usernames for folder or file permissions, use a command like “icacls”, or the Get-ACL cmdlet in PowerShell.

Here are some notes for configuring the same type of authentication settings within the IIS 8.5 GUI. Unfortunately all the settings needed aren’t in the same place within the IIS Manager GUI.

Open the ASP.NET Authorization tool for your app / site.
01_DotNetAuthorization
Use the “Add Allow Rule…” option to start a new authorization rule.
02_AddAllowRule
Select “Specified roles or user groups and type the full DOMAIN\GroupName then save the changes.
03_SpecifiedUserGroups
Use the “Add Deny Rule…” option to start a new authorization rule. Deny “All users” and save the changes. The order of these rules matters, the allow user group must appear in the list above the deny all rule.
04_DenyAllUsers
Open the IIS Authentication tool for your app / site.
05_IISAuthentication
Disable all of the options other than “Windows Authentication” (Enabled).
06_AuthenticationSettings
Open the “Configuration Editor” for your app / site.
07_MgmtConfigEditor
Navigate to the “system.web/authentication” section in Configuration Editor.
08_system.web_authentication
Set the authentication “mode” to “Windows” and save your changes.
09_auth_mode_Windows
Restart IIS to make sure your changes are applied and then test access – only users belonging to the permitted group should have access.

Advertisements

About notesbytom

Keeping technology notes on WordPress.com to free up my mind to solve new problems rather than figuring out the same ones repeatedly :-).
This entry was posted in System Administration and tagged , . Bookmark the permalink.

3 Responses to ASP.NET Restrict to Active Directory Group in IIS 8.5

  1. Geoffrey says:

    This was very helpful, thank you!

  2. Leszek says:

    Hi, is it applicable to SharePoint Websites hosted on IIS?

    • notesbytom says:

      Hello @Leszek. For SharePoint, I recommend using the SharePoint UI or SharePoint-provided management tools. Microsoft is unlikely to support a SharePoint instance where changes have been made to the back-end IIS instance unless following a support document provided by Microsoft for the SharePoint product.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s