Restrict access to IIS site to an AD Group

Solution 1:

The following should work, depending on your IIS version. You'll need to add a web.config if you don't have one (though you should on IIS7) in the directory root of your site. The below will allow Domain Admins and deny Domain Users (fairly self explanatory). Make sure you line up the config sections if you already have a section, etc.

<configuration>
  <location path="MyPage.aspx/php/html">
      <system.web>
         <authorization>
            <allow users="DOMAIN\Domain Admins"/>
            <deny users="DOMAIN\Domain Users"/>
         </authorization>
      </system.web>
   </location>
</configuration>

You will need Windows Authentication enabled under Authentication in your site preferences for this to work, obviously, but I assume you already have this enabled.

Solution 2:

joshatkins' answer does not work in IIS7. For IIS7, you need to use the role attribute. Also, if you want to restrict the whole site, you don't need the location element.

<authorization>
  <allow roles="DOMAIN\Domain Users"/>
  <deny users="*" />
</authorization>

Solution 3:

Just adding a couple more points to the other answers that helped me figure out how to get this working after I had basic AD Authentication working fine with IIS.

  1. Add Role or Feature via Windows Server Manager: Web Server (IIS) --> Web Server --> Security --> URL Authorization.
  2. Close then reopen the IIS Manager (if you have it open), now you will see (under the IIS Section for your site) Authorization Rules. Open this up.
  3. Click on the right side panel: Add Allow Rule
  4. Under Specified roles or user groups type the name of the AD group you need. eg. myDomain\myGroup and select OK.
  5. Repeat 4 for the groups that you need.

if you just want to edit the configuration file directly, then it would look something like this: 

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        ...
        <security>
            <authorization>
                <remove users="*" roles="" verbs="" />
                <add accessType="Allow" roles="myDomain\myGroup01" />
                <add accessType="Allow" roles="myDomain\myGroup02" />
            </authorization>
        </security>
    </system.webServer>
</configuration>

Solution 4:

If using the web.config authorization rules do not work (for example because a CGI script runs), you can use the folder permissions system to disable inheritance, remove IIS users (so that nobody has read access) and just add the security group in with read access. You also have to enable some form of authentication method (eg. Basic or Windows Integrated) so that the visitor is recognised.

Tags:

Active Directory

Permissions

Iis 7

Recent Posts