Configuring IIS 7 to Force Authentication on the Admin Site
This article describes how to use IIS authentication to further protect and secure your AspDotNetStorefront admin site. The concepts covered here require an understanding of Windows Security, and should be undertaken by a knowledgeable IT professional. Improperly configured security settings on a publicly facing server can potentially make the server vulnerable to attack or prevent legitimate users from accessing the system.
Choosing between Windows Authentication and Basic Authentication
IIS 7 providers administrators with the option of choose three settings for authenticating users.
For the purpose of this article, we will cover the two applicable options.
Windows Authentication in IIS 7 is the most secure option, as it uses hashing technology to prevent sending clear text usernames and passwords over the internet. Many web browsers do not support this however, so if your admin site is accessed by clients using browsers other than Microsoft Internet Explorer, Basic Authentication should be used instead.
Basic Authentication can be used on admin sites that must be accessed by a wide range of browsers and devices. One important thing to keep in mind with Basic Authentication is that usernames and passwords are not hashed, so additional precautions should be taken to ensure that your credentials are safe. Sites using Basic Authentication should always use SSL when connecting to the admin site. This will ensure that credentials are encrypted in transit to and from the website.
Disabling Anonymous Access to the Admin Site
Open the IIS Management Console on the web server
Expand the Sites folder
Expand your AspDotNetStorefront web site
Select the Admin folder
Double-Click the IIS - Authentication option
Under Authentication, select the Anonymous Authentication and click 'Disable' in the Actions pane on the right
For Windows Authentication: Select the Windows Authentication and click 'Enable' in the Actions pane on the right
For Basic Authentication: Select the Basic Authentication and click 'Enable' in the Actions pane on the right
You can potentially enable both authentication mechanisms on the site. If both Basic and Windows Authentication are enabled, IIS will first try to use Windows Authentication, and then attempt Basic if that fails.
If using Basic Authentication, you will receive a warning stating that "...credentials will be sent in clear text over the wire". This warning does not apply to valid SSL connections.
With Windows Authentication you will get an Alert stating that "Challenge-based and login redirect-based authentication cannot be used simultaneously." but it can be ignored for sites using CLASSIC managed pipeline mode in the app pool.
For sites using Integrated mode, THIS ARTICLE may be useful (a knowledgeable developer will be required).
If using Windows Authentication only, restart the site. If using Basic Authentication, select Basic Authentication and click "Edit..." in the Actions menu to the right, and enter your site domain (Realm is optional), then click OK
If requiring HTTPS for the admin console, double-click the IIS - SSL Settings for the Admin folder, and check the "Require SSL". NOTE that SSL must be in place and valid for this option to be available
Restart the site
Giving Users Access to the Admin Site
Once Basic or Windows Authentication is enabled on your admin site, user access to the entire directory is controlled using NTFS permissions. To assign a user permission to access your admin site:
Create a new user account in Windows using Computer Management (or Active Directory Users and Computers if your server is a member of an Active Directory domain).
Using Windows Explorer, browse to the directory that contains your AspDotNetStorefront web site files.
Right click the Admin folder and choose Properties.
Click the Security tab and click Add.
Enter the name of the user you just created and click OK, or click advanced to view a list of all users you can add.
Assign the user Read, List, and Read & Execute permissions to the admin site.
7. Click OK.
Go to http://yoursite/admin or https://yoursite/admin (depending on whether SSL is required or not).
2. If all steps were done properly, you will be presented with a login prompt.
Enter your Windows user account username and password and click OK.
You should now be taken to your Admin site’s login page.
About this Article
This article is provided as-is for the convenience of our customers. AspDotNetStorefront does not perform general IT consulting tasks or management of dedicated servers. If you need assistance configuring user accounts or security on your server, please contact your hosting provider, IT department, or a qualified consultant. AspDotNetStorefront support cannot assist with these tasks.