In Internet Information Services 10 (IIS 10) in Windows Server 2016, it’s possible to enable access to an IIS webpage for Active Directory Users and Groups. In case your website does not have integrated security, it’s possible to make use of Active Directory security groups for securing your website. This functionlaity uses the Windows Authentication.
To do so, you need to take the following actions
- Add Windows Role “URL Authorization” for Web Server (IIS)
- Set up Authorization Rules in IIS
Add Windows Role “URL Authorization” for Web Server (IIS)
To have the option to secure your website with Authorization Rules, you first must add the Windows Role IIS URL Authorization.
- Open Server Manager
- Click Add Roles and Features
- At Server Roles, expand Web Server (IIS) -> Web Server -> Security
- Enable URL Authorization, and finish the wizard
Now, close all IIS Manager windows and close Server Manager. This will solve the issue you don’t see the option “Authorization Rules”
Set up Authorization Rules in IIS
Since you have installed the sub-role URL Authorization, you can now setup the user or groups to allow or deny access to your IIS website. To do so:
- Open IIS Manager, either via your Start Menu, or by using the Run command “inetmgr”
- . At top level in the IIS tree, open Authorization Rules in the main pane.
- In the Authorization Rules window, click Add Allow Rule in right side pane
- Choose either “Specified roles or user groups” or Specified Users”, and type the objects in the following convention: domain\objectname
- i.e: contoso\IISusers_App1
- ie: contoso\JohanDerksen
By the way: make sure you have Windows Authentication enabled with a HTTP 401 Challenge. Or there will not be much to authenticate 😉 .
Aboves guide also applies to IIS 7, IIS 8, Windows Server 2012 and Windows Server 2008
Thanks for the article, do you know if it’s possible to allow access for a group only for one site? When I add a rule for a site, this rule is apply for all site 🙁