IIS AD Group permission – setting up in Windows Server 2016

In Internet Information Services 10 (IIS 10) in Windows Server 2016, it’s possible to enable access to an IIS webpage for Active Directory Users and Groups. In case your website does not have integrated security, it’s possible to make use of Active Directory security groups for securing your website. This functionlaity uses the Windows Authentication.

To do so, you need to take the following actions

  1. Add Windows Role “URL Authorization” for Web Server (IIS)
  2. Set up Authorization Rules in IIS

Add Windows Role “URL Authorization” for Web Server (IIS)

To have the option to secure your website with Authorization Rules, you first must add the Windows Role IIS URL Authorization.

  1. Open Server Manager
  2. Click Add Roles and Features
  3. At Server Roles, expand Web Server (IIS) -> Web Server -> Security
  4. Enable URL Authorization, and finish the wizard

Add Windows Role URL Authorization for Web Server (IIS)

Now, close all IIS Manager windows and close Server Manager. This will solve the issue you don’t see the option “Authorization Rules

Set up Authorization Rules in IIS

Since you have installed the sub-role URL Authorization, you can now setup the user or groups to allow or deny access to your IIS website. To do so:

  1. Open IIS Manager, either via your Start Menu, or by using the Run command “inetmgr”
  2. . At top level in the IIS tree, open  Authorization Rules in the main pane.
  3. In the Authorization Rules window, click Add Allow Rule in right side pane
  4. Choose either “Specified roles or user groups” or Specified Users”, and type the objects in the following convention: domain\objectname
    1. i.e: contoso\IISusers_App1
    2. ie: contoso\JohanDerksen

Set Up Authorization Rules in IIS

By the way: make sure you have Windows Authentication enabled with a HTTP 401 Challenge. Or there will not be much to authenticate 😉 .

IIS Windows Authentication

Aboves guide also applies to IIS 7, IIS 8, Windows Server 2012 and Windows Server 2008

5 1 vote
Article Rating
Notify of
1 Comment
Newest Most Voted
Inline Feedbacks
View all comments

Thanks for the article, do you know if it’s possible to allow access for a group only for one site? When I add a rule for a site, this rule is apply for all site 🙁

Would love your thoughts, please comment.x