How to combine IIS "ip address and domain restrictions" and authentication [Answered]RSS

7 replies

Last post Oct 17, 2019 01:54 AM by Jalpa Panchal

  • How to combine IIS "ip address and domain restrictions" and authentication

    Oct 15, 2019 10:14 AM|Jack Chuong|LINK

    <div class="body">

    Hi all,

    I'm using Windows server 2012 Standard with IIS 8.5 , I want to limit access to www.mywebsite.com/abc :
    - if client ip address is 1.2.3.4 --> allow
    - if client ip address is not 1.2.3.4 --> ask for authorization :
                - if right username and password --> allow
                - if wrong username and password --> deny

    I can configure authentication or "ip address and domain restrictions" works but how to combine them together ?

    If this topic should be placed in another category please let me know, thank you very much.

    </div>
  • Re: How to combine IIS "ip address and domain restrictions" and authentication

    Oct 15, 2019 02:49 PM|lextm|LINK

    Unless you write your own IIS extension, the built-in ones cannot meet this.

    Lex Li
    https://lextudio.com
    ---------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.
  • Re: How to combine IIS "ip address and domain restrictions" and authentication

    Oct 15, 2019 04:34 PM|RuskinF|LINK

    There's yet to be a way invented to do that.

  • Re: How to combine IIS "ip address and domain restrictions" and authentication

    Oct 16, 2019 03:04 AM|Jalpa Panchal|LINK

    Hi,

    In iis, there is no built-in functionality to achieve your requirement. 

    But you could try this below workaround:

    which kind of users you are using active directory users or domain users? if yes then you could use integrated windows authentication and disable anonymous authentication. You then achieve access control by setting customer security permissions in NTFS - you create an AD group that will be used to control access to the website, give it read/execute permissions to the webroot folder, then add all AD users to the group. When they connect to the site, they'll be authenticated automatically by AD and allowed to view the website.

    Then use the built-in Domain and IP Restrictions in IIS - set the default rule for IP restrictions to deny IP, then add each authorized IP address.

    The one thing you can't achieve is that any user can connect from any IP within the list, you can't restrict it any further. If you want to do better than this, you'll need to write code by yourself.

    Regards,

    Jalpa

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
  • Re: How to combine IIS "ip address and domain restrictions" and authentication

    Oct 16, 2019 04:24 AM|Jack Chuong|LINK

    which kind of users you are using active directory users or domain users? --> yes
    Yes I did "use integrated windows authentication and disable anonymous authentication" , I don't have to do "setting customer security permissions in NTFS" stuffs , it just works fine , when AD users connect to the site, they are authenticated automatically by AD and allowed to view the website.
    I also did "Then use the built-in Domain and IP Restrictions in IIS - set the default rule for IP restrictions to deny IP, then add each authorized IP address" , it also works.

    But they don't work together , if client ip address is not 1.2.3.4 , client is denied , not asked for authorization .
    I did searching, some people said I can archive it with httpmodule , url rewrite , etc ... So, there is no built-in functionality in IIS can archive this ? Should I stop searching IIS document and find solution at another place ?

  • Re: How to combine IIS "ip address and domain restrictions" and authentication

    Oct 16, 2019 09:53 AM|Jalpa Panchal|LINK

    Hi,

    You could use custom module to implement your requirement.

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
  • Re: How to combine IIS "ip address and domain restrictions" and authentication

    Oct 17, 2019 01:52 AM|Jack Chuong|LINK

    Thank you all,

    I will use a proxy to archive this.

  • Re: How to combine IIS "ip address and domain restrictions" and authentication

    Oct 17, 2019 01:54 AM|Jalpa Panchal|LINK

    Thanks for sharing your experience. It will be appreciated if you could mark yourself as answer. So that your post could help more people.

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.