Configuring IIS 6.0 to Force Authentication on the Admin Site
This article describes how to use IIS authentication to further protect and secure your
AspDotNetStorefront admin site. The concepts covered here require an understanding of
Windows Security, and should be undertaken by a knowledgeable IT professional. Improperly
configured security settings on a publicly facing server can potentially make the server vulnerable
to attack or prevent legitimate users from accessing the system.
Choosing between Integrated Windows Authentication and Basic Authentication
IIS 6.0 providers administrators with the option of choose three settings for authenticating users.
For the purpose of this article, we will cover the two applicable options.
Integrated Windows Authentication in IIS 6.0 is the most secure option, as it uses hashing
technology to prevent sending clear text usernames and passwords over the internet. Many web
browsers do not support this however, so if your admin site is accessed by clients using browsers
other than Microsoft Internet Explorer, Basic Authentication should be used instead.
Basic Authentication can be used on admin sites that must be accessed by a wide range of
browsers and devices. One important thing to keep in mind with Basic Authentication is that
usernames and passwords are not hashed, so additional precautions should be taken to ensure
that your credentials are safe. Sites using Basic Authentication should always use SSL when
connecting to the admin site. This will ensure that credentials are encrypted in transit to and from
Disabling Anonymous Access to the Admin Site
1. Open the IIS Management Console on the web server
2. Expand the Web Sites folder
3. Expand your AspDotNetStorefront web site
4. Right click the Admin folder and go to Properties
5. Click the Directory tab
6. Under Authentication and Access Control, click Edit
7. Uncheck the Enable Anonymous Access box
8. Enable either Integrated Windows Authentication or Basic Authentication. When enabling Basic Authentication, you will receive a warning stating that passwords can besent in clear text. This warning does not apply to SSL connections. Click Yes to continue.
Note: You can potentially enable both authentication mechanisms on the site. If both Basic and Integrated Windows Authentication are enabled, IIS will first try to use Integrated Windows Authentication, and then attempt Basic if that fails.
9. If using Basic Authentication, enter your domain name in the Default Domain box. The Realm box is optional, and can be left blank. Click Ok.
10. If using Integrated Windows Authentication only, click OK and restart the site. If using Basic Authentication, on the Directory Security tab, click Edit under the SecureCommunications section.
11. Check the Require Secure Channel (SSL) box.
12. Click OK.
13. Click Apply and restart the website.
Important – Once SSL is required to access the admin site, you must manually invoke SSL by going to https://yoursite/admin. If you attempt to access the site over standard HTTP you will receive an error. Make sure the URL you are using to access your admin site starts with HTTPS. You must also have a valid SSL certificate installed on your website for this to function properly. If you do not yet have an SSL certificate, Microsoft provides a tool to generate an untrusted certificate in the IIS 6.0 Resource Kit. See the Microsoft web site for additional details.
Giving Users Access to the Admin Site
Once Basic or Windows Authentication is enabled on your admin site, user access to the entire directory is controlled using NTFS permissions. To assign a user permission to access your admin site:
1. Create a new user account in Windows using Computer Management (or Active Directory Users and Computers if your server is a member of an Active Directory domain).
2. Using Windows Explorer, browse to the directory that contains your AspDotNetStorefront web site files.
3. Right click the Admin folder and choose Properties.
4. Click the Security tab and click Add.
5. Enter the name of the user you just created and click OK, or click advanced to view a list of all users you can add.
6. Assign the user Read, List, and Read & Execute permissions to the admin site.
7. Click OK.
1. Go to http://yoursite/admin or https://yoursite/admin (depending on whether SSL is required or not).
2. If all steps were done properly, you will be presented with a login prompt.
3. Enter your new Windows user account username and password and click OK.
4. You should now be taken to your Admin site’s login page.
About this Article
This article is provided as-is for the convenience of our customers. AspDotNetStorefront does not perform general IT consulting tasks or management of dedicated servers. If you need assistance configuring user accounts or security on your server, please contact your hosting provider, IT department, or a qualified consultant. AspDotNetStorefront support cannot assist with these tasks.