tags:

views:

28

answers:

1
+1  Q: 

IIS7 basic authentication to protect a site that uses forms authentication

Hi All,

This should be much simpler than it has proven to be!

I have an ASP.Net web app which uses FORMS authentication to secure part of the site (i.e. the member login area).

Now I simply want to put a traditional/simple browser password popup (directory security) across the whole site because we are testing it and don't want anyone to stumble across the site and see the unfinished version etc!

This used to be super simple in older IIS versions.

I have "installed basic authentication" (as IIS7 doesn't come out of the box with this now). But when I enable it, it tells me that I can't have that enabled at the same time as any redirect based authentication (which is what my FORMS authentication uses).

So that's just stupid.

There has to be a super simple way to simply put a cheap popup password across the whole site without impacting on the other authentication method that you have setup inside web.config for the actual application.

Many thanks..

UPDATES IP access restrictions are good for a couple of reasons: - My IP is dynamic and therefore constantly changing. - I don't want to bother anyone that needs to see the site by asking them to bring up a console on their machine and work out their IP address or check their router etc. Many of them are non-technical business users and it will take them an hour to work out their IP address. - Both basic auth and windows auth don't allow the underlying forms authentication to remain in place underneath.

What we seem to have here is a massive case of Microsoft trying to over-engineer things and as a result a super simple age-old requirements is no longer possible or easily achieveable. This has to be possible somehow... ANYONE???

A: 

Just use windows authentication.

Basically you just put this in your web.config:

<configuration>

    <system.web>

        <authentication mode="Windows" />

         <authorization>
             <deny users="?"/>
          </authorization>

    </system.web>

</configuration>

Pretty easy if you ask me.

klausbyskov  2010-10-19 16:12:53
Your code means that my existing Forms authentication is no longer setup, because it uses the same section in the web.config. So if I use your Windows authentication idea, I no longer have the forms authentication in place.. The Forms authentication is required for the actual site functionality, i.e. MEMBER LOGIN etc..
Aaron  2010-10-19 16:14:42
I have installed "Windows authentication" and enabled it, but like I suspected, it completely overrides the existing forms authentication that is underneath. You can only have one or the other. I don't think you get what I am trying to achieve.
Aaron  2010-10-19 16:22:03
Yes, I get it now, and I see how what I proposed does not work. How about adding ip-restrictions to the website instead then (or only make it available on the intranet)?
klausbyskov  2010-10-19 16:24:24
I tried that and it is another whole can of worms. But its not really good enough anyway, because I want to be able to simply email a group of people the password, without asking them all to work out their ip address via their console and/or routers etc. So ip restrictions are a major hassle. Plus the IIS interface for it is terrible and I already found a(nother) iis bug!
Aaron  2010-10-19 16:40:05
IIS7 FAIL - this should be a 2-second button that's easy to find - not hours and hours of editing XML files and creating custom wrappers. Total over-engineering.
Aaron  2010-10-20 01:40:04

related questions

How do I write Firefox add-on that automatically enters proxy passwords?
Login Integration in PHP
Strange Rails Authentication Issue
Concurrent logins in a web farm
Is there a browser equivalent to IE's ClearAuthenticationCache?
How can I authenticate using client credentials in WCF just once?
Why can't I connect to my CAS server with Perl's AuthCAS?
Best Solution For Authentication in Ruby on Rails
Authenticate on an ASP.Net Forms Authorization website from a console app
How do I use NTLM authentication with Active Directory
What have you used Windows CardSpace for, if anything
Forms Authentication across Applications
Retreiving the PC Name of a Client? (Windows Auth)
How would you implement FORM based authentication without a backing database?
What's the best way to authenticate over WCF?
Only accepting certain ajax requests from authenticated users
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
What to use for login ID?
ASP.NET authentication: user name Vs User ID
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Checklist for IIS 6/ASP.NET Windows Authentication?
The Definitive Guide To Website Authentication