Basic HTTP Authentication in IIS - .htaccess

Is it possible to do BOTH of these using a web.config file? If not, what would be the easiest way to achieve them on an IIS server.
Protect a web-accessible folder via HTTP auth
Allow access from a specific username/password AND a specific IP address
This is possible using .htaccess and .htpasswd on Apache, but I need an IIS equivalent if one exists.

Related

I want some users to continue using HTTP while others should use HTTPS

I have recently switched my website from HTTP to HTTPS. For some external users, they do not have enough permissions to access via HTTPS and they still need to access via HTTP.
I want to keep both HTTP and HTTPS, but HTTP only for a specific group of users.
How to make this change in IIS 8?
Any ideas, please suggest.
You can try the following steps:
Step1: configure https.
Set IIS to work with HTTPS (http://learn.iis.net/page.aspx/144/how-to-set-up-ssl-on-iis-7/ )
Test HTTPS locally to make sure that it works.
In your firewall (to Internet), configure it so that it allows port 443 (https) to your IIS server.
This will allow ALL people to access your website using https, since we have not configured any restrictions.
Steps2: configure http.
Install WindowsAuthenticationModule if it is not already installed
In IIS Manager, click the website.
Double click Authentication in the middle pane
Select Windows Authentication and enable it
Select Anonymous Authentication and disable it.
Since the users on your local network is authenticated to AD, and the website is in their local zone, they should automatically authenticate and should not see the login box. People outside your network are not authenticated, hence should need to logon to access the website.

In IIS, how do you configure folder access for basic authentication?

In IIS 7, how do you configure folder access for basic authentication against domain?
I've done the following:
Enabled Authentication - Basic Mode.
This seems to work for regular folders, but once I convert the folder to an Application in IIS, users get rejected unless I add them specifically to the Security item in Windows. Do I need to do this for every single user?
What if I need all members of domain to access a given url?

ColdFusion 9 and IIS server encryption

We have a ColdFusion developer who claims that solely by adding a few lines of code in the Application.cfm file of an application that he wants to be encrypted that he can force the IIS Web server to encrypt all communications involving that application. So for example, let's assume this developer's ColdFusion application resides at www.ThisIsIt.com/xyz/. He includes a conditional statement in his Application.cfm file (see below) to force a Web browser to preface the URL to his application with https.
<CFIF not cgi.server_port_secure>
<CFLOCATION URL="https://#cgi.server_name##cgi.script_name#" ADDTOKEN="no"/>
</CFIF>
Meanwhile within Internet Information Services (IIS) Manager, the xyz directory is NOT set to require SSL. If you visit https://www.ThisIsIt.com/xyz/, it will in fact be prefaced by https, but how can the content of his application as well as the communication between server and client Web browser be encrypted if the IIS Web server is not instructed/configured to encrypt the xyz directory, and why does the Web browser indicate an encrypted communication? Is this a mere trick or a legitimate means to encrypt a ColdFusion application?
The application-based rule works by detecting that SSL is not being used and redirects the user to the secure HTTPS domain. A valid SSL certificate is required to be configured otherwise a security message is displayed.
This method only forces HTTPS access for ColdFusion scripts. Static, non-CFML files like CSS, JS, PDF (that don't care about the presence of the application.cfm script) can be accessed directly without any HTTPS redirect.
The best way to "force" SSL for all web requests using IIS is with a web.config rule.
https://stackoverflow.com/a/29089228/693068

Coldfusion 10 Ignores IIS authorization rules

I have a website for which I am trying to configure the security of certain directories. I have added the appropriate deny and allow rules under IIS Authorization Rules.
If a user tries to access the folder without specifying the file name in the URL, IIS kicks in and applies the rules properly. For example, https://example.org/siteadmin/groupeditor will correctly cause IIS authorization rules to be applied.
If the user tries to access a static file like *.jpg or *.htm, IIS will also properly apply the authorization rules. https://example.org/siteadmin/groupeditor/mypicture.gif or https://example.org/siteadmin/groupeditor/test.htm will cause IIS authorization rules to be applied.
If a user knows the CFM page name, they can access the page. https://example.org/siteadmin/groupeditor/mypage.cfm will render
I have the pages "guarded" with logic in an application.cfc to check to see if the user is in an appropriate role. However, it is bugging me to no end that this configuration isn't working properly. The only thing that I can guess is that somehow ColdFusion's ISAPI filter is getting access to the request before IIS. Is this correct? Is there any way to fix this?

II7 prompt for username/password for virtual directory

I have a virtual directory setup on my server. The main website is public on port 80 but I have a /subfolder virtual directory that I want to ask for a username and password (not a ASP page, standard username password prompt).
Any ideas?
You can set the permissions on each directory separately, so you can leave the main site open to everyone (allow anonymous access), but then restrict the subdirectory (turn off anonymous access and turn on something else, such as basic authentication--just be aware of the security implications if you use basic authentication over HTTP instead of HTTPS). Select the directory and then click on the Authentication option to change these settings.
See also http://technet.microsoft.com/en-us/library/cc733010%28WS.10%29.aspx for more info on the pros and cons of various authentication options and the things you should consider.

Resources