IIS 7 and Above
How to combine IIS "ip address and domain restrictions" and authentic...
Last post Oct 17, 2019 01:54 AM by Jalpa Panchal
Oct 15, 2019 10:14 AM|Jack Chuong|LINK
I'm using Windows server 2012 Standard with IIS 8.5 , I want to limit access to www.mywebsite.com/abc :
- if client ip address is 18.104.22.168 --> allow
- if client ip address is not 22.214.171.124 --> ask for authorization :
- if right username and password --> allow
- if wrong username and password --> deny
I can configure authentication or "ip address and domain restrictions" works but how to combine them together ?
If this topic should be placed in another category please let me know, thank you very much.
Oct 15, 2019 02:49 PM|lextm|LINK
Unless you write your own IIS extension, the built-in ones cannot meet this.
Oct 15, 2019 04:34 PM|RuskinF|LINK
There's yet to be a way invented to do that.
Oct 16, 2019 03:04 AM|Jalpa Panchal|LINK
In iis, there is no built-in functionality to achieve your requirement.
But you could try this below workaround:
which kind of users you are using active directory users or domain users? if yes then you could use integrated windows authentication and disable anonymous authentication. You then achieve access control by setting customer security permissions in NTFS -
you create an AD group that will be used to control access to the website, give it read/execute permissions to the webroot folder, then add all AD users to the group. When they connect to the site, they'll be authenticated automatically by AD and allowed to
view the website.
Then use the built-in Domain and IP Restrictions in IIS - set the default rule for IP restrictions to deny IP, then add each authorized IP address.
The one thing you can't achieve is that any user can connect from any IP within the list, you can't restrict it any further. If you want to do better than this, you'll need to write code by yourself.
Oct 16, 2019 04:24 AM|Jack Chuong|LINK
which kind of users you are using active directory users or domain users? --> yes
Yes I did "use integrated windows authentication and disable anonymous authentication" , I don't have to do "setting customer security permissions in NTFS" stuffs , it just works fine , when AD users connect to the site, they are authenticated automatically
by AD and allowed to view the website.
I also did "Then use the built-in Domain and IP Restrictions in IIS - set the default rule for IP restrictions to deny IP, then add each authorized IP address" , it also works.
But they don't work together , if client ip address is not 126.96.36.199 , client is denied , not asked for authorization .
I did searching, some people said I can archive it with httpmodule , url rewrite , etc ... So, there is no built-in functionality in IIS can archive this ? Should I stop searching IIS document and find solution at another place ?
Oct 16, 2019 09:53 AM|Jalpa Panchal|LINK
You could use custom module to implement your requirement.
Oct 17, 2019 01:52 AM|Jack Chuong|LINK
Thank you all,
I will use a proxy to archive this.
Oct 17, 2019 01:54 AM|Jalpa Panchal|LINK
Thanks for sharing your experience. It will be appreciated if you could mark yourself as answer. So that your post could help more people.