R – ASP.NET + IIS6: whitelist users via authorization section in web.config

asp.netauthorizationiis-6Securityweb.config

Consider an IIS6 Application under a web site:

  • Windows authentication is enabled.
  • anonymous is off

This is an ASP.NET MVC application with Areas. The root web.config has the authentication and authorization nodes as follows:

<authentication mode="Windows"></authentication>

<authorization> 
    <allow users="domain\abc, domain\xyz, domain\foo, domain\bar"/>   
</authorization>

My identity is NOT in the list of allowed users. Entering the URL in the browser, I can view and navigate to all the pages within. I know I am being authorized properly, as my Active Directory name is displayed on the site.

Problem: I am given access to the site.

Question: Using the web.config, how can I restrict users based on their Windows credentials to this IIS6 Application?

Best Answer

Try this:

<authorization> 
    <allow users="domain\abc, domain\xyz, domain\foo, domain\bar"/>   
    <deny users="*"/>
</authorization>
Related Topic