ansaurus

Question

IIS7 - Password Protect Development Server

Answer 1

A:

We wrote a custom module for IIS to allow certain IP ranges through automatically, and present anyone else with a login dialogue. Once they'd logged in, it stored that fact in their session and simply passed requests through.

Works alright, can be applied to anything in IIS sites or services.

Massif 2009-08-05 13:49:43

No good when my ISP gives me a totally random dynamic IP every time. Also no good when I need to give access to a select group of testers or business partners, say 50 of them, who all need to access the dev site. I can't make them all spend an hour each to go fumbling around for their IP address because they are all located in different physical locations and they are business people, not technical people. They have no idea how to obtain their IP address from their router/network config etc. I need to simply be able to email them with a password so they can easily hit the site.

Aaron 2010-10-20 02:42:50

Answer 2

A:

My previous answer said forms auth and basic http auth could live side by side in II7 integrated mode. I was completely wrong and have since made a simple solution.

Using a custom HttpModule you can add basic auth along side regular forms auth

public class CustomBasicAuthHttpModule : IHttpModule
{
    private HttpApplication httpApplicationContext;

    public void Dispose()
    {
    }

    public void Init(HttpApplication context)
    {
        this.httpApplicationContext = context;
        context.BeginRequest += this.OnBeginRequest;
        context.EndRequest += this.OnEndRequest;
    }

    private void OnBeginRequest(object sender, EventArgs e)
    {
        // your logic of checking Auth header goes here
        if (this.httpApplicationContext.Request.Headers["Authorization"] != "Basic base64-encoded-user:pass")
        {
            this.httpApplicationContext.Response.StatusCode = 401;
            this.httpApplicationContext.Response.End();
        }
    }

    private void OnEndRequest(object sender, EventArgs e)
    {
        if (this.httpApplicationContext.Response.StatusCode == 401)
        {
            this.httpApplicationContext.Response.AddHeader("WWW-Authenticate", "Basic");
        }
    }

then in your web.config

  <system.webServer>
    <modules>
      <add name="CustomBasicAuthHttpModule" type="Namespace.CustomBasicAuthHttpModule, AssemblyName"/>
    </modules>
  </system.webServer>

jayrdub 2009-08-05 14:55:15

Actually it's not just as simple in my case.Your solution was the first thing I tried - but somehow "basic authentication" interferes with the "forms authentication" of the most basic new MVC project as we all know it from Visual Studio / New Project.After authenticating via "basic authentication" I get redirected to the default login url whatever I try and my browser is not even permitted to download the Site.css file.Any ideas?!

2009-08-07 14:18:16

The IIS basic authentication will have nothing to do with the forms authentication, completely different. The way you phrased your question made it sound like you want to block all access to even the forms login page to anyone but your clients, but once past the IIS challenge-response, they'd login through the forms authentication. I don't know how to have IIS authenticate on behalf of sql forms, sorry. I guess I don't get the point either, what's wrong with forms authentication, why would a IIS challenge-response be better?

jayrdub 2009-08-07 16:16:08

You're totally wrong jayrdub. The question was explained well and this is a very common requirement. IIS itself states that "basic authentication cannot be used with any redirect based authentication method such as forms authentication". "Windows authentication" also comes with the same caveat. You can use both basic and windows authentication no problems, providing you don't also have forms authentication running underneath in the application. The OP's question is very legitimate and a common requirement.

Aaron 2010-10-20 02:39:40

It is super common to have an ASP.Net application that uses "forms authentication" in the application itself. Explanation: This simply would be something such as having a "member login" area of your site - most sites have something like that. THEN you ALSO want to throw a quick and dirty popup password over the ENTIRE site because it is currently in development/test and you don't want random internet surfers coming across it. This is done all the time on IIS6 and unix web servers, why can't IIS7 allow such a simple configuration with a single one click button.

Aaron 2010-10-20 02:41:10

@Aaron, you're totally right, I don't know why I answered it that way. I edited and added the solution I use

jayrdub 2010-10-20 16:19:37

Answer 3

A:

I just did this with Helicon Ape. The free license includes 3 sites, which for me was good enough.

If you use this on a site, just remember to check if the license is activated for the site (start menu > helicon > ape > manager, help, license manager).

Bruno Lopes 2010-06-03 16:17:31

A third party add-on shouldn't be required for such a simple task.

Aaron 2010-10-20 02:37:24

No, it shouldn't. Doesn't mean it isn't, sadly.

Bruno Lopes 2010-10-20 08:33:38

Answer 4

A:

As Aaron points out, this isn't so straightforward in IIS7. Now, the flip side is this old trick is insecure at best and there are better ways to do it now and being able to use all authenticaiton methods with all apps has lots of advantages. There are some ways to get around this such as:

a) keeping the development site behind a VPN which your clients can access.
b) reverse proxying the site, and letting the proxy do the http authentication.
c) A bit more involved would be to build your app with a demo mode. Trick here is to make it turn on or off from the first request given a special magic query string. Check for that in Session_Start() then tag users that come with it and profit.

Wyatt Barnett 2010-10-20 16:35:04

ansaurus

tags:

views:

answers:

IIS7 - Password Protect Development Server

related questions