IIS : Windows Authentication2022/01/26 |
Set Windows Authentication to a folder to require authentication for users.
For different point from Basic Authentication,
On Basic Authentication, user authentication form is always displayed and it needs to input user information to authenticate manually.
However, On Windows Authentication, if Client Computer is Windows OS and he accesses to the Windows Authentication folder,
current logon user information is sent to IIS server automatically by Web Browser and authentication process runs with it.
Therefore, if IIS Host and Client Windows Host are in the same Windows AD Domain, when accessing to Windows Authentication folder from Windows Client,
authentication form is not displayed and can access to the contents in the folder without inputting user infomation because authentication process runs automatically by Web Browser.
Furthermore, even if Client Windows computer is out of AD Domain, there is a case to be able to access without inputting user authentication infomation manually.
If there is a local user on Client Host that has the same username and same password with a user on IIS Host,
and also set a configration on Web browser that target site is added as a Safe Site, then, authentication process succeeds automatically.
For a few case of above only, authentication form in not displayed, but on other cases, it needs to input user authentication infomation manually,
the behavior is the same with Basic Authetication on users viewpoint.
|
|
[1] | Run PowerShell with Admin Privilege and Configure. On this example, Configure settings that create a [auth_win] folder under the [RX-7.srv.world] site and set Windows Authentication to the Folder. |
Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. # install windows Authentication feature PS C:\Users\Administrator> Install-WindowsFeature Web-Windows-Auth Success Restart Needed Exit Code Feature Result ------- -------------- --------- -------------- True No Success {Windows Authentication} # restart IIS PS C:\Users\Administrator> Restart-Service W3SVC PS C:\Users\Administrator> Get-Website Name ID State Physical Path Bindings ---- -- ----- ------------- -------- Default Web Site 1 Started %SystemDrive%\inetpub\wwwroot http *:80: RX-7.srv.world 2 Started C:\inetpub\newsite http *:80:rx-7.srv.world https *:443:rx-7.srv.world sslFlags=0 # create [auth_win] folder PS C:\Users\Administrator> New-Item -ItemType Directory -Path "IIS:\Sites\RX-7.srv.world\auth_win" Directory: WebAdministration::\\RX-7\Sites\RX-7.srv.world Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 1/24/2022 11:21 PM auth_win # disable anonymous authentication for target folder PS C:\Users\Administrator> Set-WebConfigurationProperty -Filter '/system.webServer/security/authentication/anonymousAuthentication' -Location "RX-7.srv.world/auth_win" -Name enabled -Value False # enable Windows authentication for target folder PS C:\Users\Administrator> Set-WebConfigurationProperty -Filter '/system.webServer/security/authentication/windowsAuthentication' -Location "RX-7.srv.world/auth_win" -Name enabled -Value True # restart target Web site PS C:\Users\Administrator> Restart-WebItem -PSPath 'IIS:\Sites\RX-7.srv.world' # create a test page PS C:\Users\Administrator> Write-Output "Windows Authentication Test Page" | Out-File C:\inetpub\newsite\auth_win\index.html -Encoding Default # verify accesses ⇒ [-u (username)] # need authentication except specific some cases written in the beginning of this page PS C:\Users\Administrator> curl.exe --ntlm -u Serverworld https://rx-7.srv.world/auth_win/ Enter host password for user 'Serverworld': # user password Windows Authentication Test Page |
IIS : Windows Authentication (GUI)
|
On GUI configuration, set like follows.
|
|
[2] | Run [Start] - [Server Manager] and enter [Add roles and features], then check a box [Windows Authentication] and install it. |
[3] | After installing, restart IIS. |
[4] |
Create a folder that you'd like to set Windows Authentication.
Run [Start] - [Server Manager] and Click [Tools] - [Internet Information Services (IIS) Manager],
and then Select a folder you'd like to set Windows Authentication on the left pane and then Open to click [Authentication] on the center pane.
On this example, create a [auth_win] folder for it. Also add NTFS access permission for users or groups you'd like to allow to access to the folder. |
[5] | Disable [Anonymous Authentication] and Enable [Windows Authentication] like follows. |
[6] | Create a test page under the folder you set Windows Authentication and verify accesses. If Client host is also Windows and that is in specific cases written in the beginning of this page, the authentication form like follows are not displayed, but on other cases, following authentication form is displayed and required to input user authentication infomation. |
[7] | That's OK if successfully authenticate and test page is shown normally. |
Sponsored Link |
|