Securing an IIS website with Windows authentication

My company has a website that is being hosted on one of the DC's with IIS.
On the main page of the site there is a link to a staff webpage which requires a login to access.
When accessing the website by www.mywebsite.com, the user is prompted with the login.
But, when accessing the website by mywebsite.com, https://www.mywebsite.com, or https://mywebsite.com, there is no login and the webpage is accessible to anyone.
The folder that the webpage is in has "Enable anonymous access" unchecked and "integrated windows authentication" is checked.
Don't know if this is important, but when using the website within the network, it still asks for the login.
This is on a Windows 2003 SP1 Server.
donvfpAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
jjmartineziiiConnect With a Mentor Commented:
# Open the MMC and select the site or directory you wish to protect
# Right click and select properties on that site / directory
# Select the directory security tab
# Click the "edit" button on authentication control
# Disable basic authentication and enable NTLM / Integrated Windows Authentication
# Now your site is setup to support NTLM authentication you need to change the NTFS permissions for the directory you want to protect and add any users or groups you wish to have access


After you do this, restart IIS. Do you receive a log in box?
0
 
isaman07Commented:
Enable the basic authentication and remove anything else on that website through IIS. Add your domain name when you enable basic authentication.
0
 
donvfpAuthor Commented:
So I should enable "basic authentication" and disable "digest authentication" and "Integrated windows authentication"?
What do you mean by "Add your domain name"?
0
Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

 
isaman07Commented:
When you go to the directory security tab, in the authentication windows, when you choose basi authentication, you see a field named Default Domain. Enter your domain name in that foeld. If your domain name is company.com, then enter company.com
I'm assuming that the IIS is installed on a Domain Controller accroding to your post.
0
 
donvfpAuthor Commented:
I selected "basic authentication" and deselected all other authentication methods. I entered the domain in the default domain box. I restarted the IIS services.
The website still performs as before.
0
 
donvfpAuthor Commented:
The site still performs the same
I only receive a login prompt when accessing the site through www.mywebsite.com.

How is it possible that this site exists as four separate sites but entered in IIS as one?
0
 
jjmartineziiiCommented:
A single site cannot exists at HTTPS and HTTP without being two websites in IIS because it binds with a port number. http is 80 and https is 443.


So, you don't get a login screen when going to mysite.com. what happens? it lets you in without authentication?
0
 
donvfpAuthor Commented:
Exactly. It lets me in without authentication.
0
 
jjmartineziiiCommented:
have you tried to access the site from a computer that is logged in with a user who should not have access?

integrated windows authentication can take your username/password from the logged on local account and use that as authentication. are you sure this is not happening?
0
 
donvfpAuthor Commented:
Well, I figured this out about a week ago.
It turns out that I was making the changes in their website which was a separate branch not under Default Website of IIS.
The website that exists on the web was under Default Website of IIS and I did not realize it was there.

Thank you for all your help
0
All Courses

From novice to tech pro — start learning today.