Securing an IIS website with Windows authentication

My company has a website that is being hosted on one of the DC's with IIS.
On the main page of the site there is a link to a staff webpage which requires a login to access.
When accessing the website by, the user is prompted with the login.
But, when accessing the website by,, or, there is no login and the webpage is accessible to anyone.
The folder that the webpage is in has "Enable anonymous access" unchecked and "integrated windows authentication" is checked.
Don't know if this is important, but when using the website within the network, it still asks for the login.
This is on a Windows 2003 SP1 Server.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Enable the basic authentication and remove anything else on that website through IIS. Add your domain name when you enable basic authentication.
donvfpAuthor Commented:
So I should enable "basic authentication" and disable "digest authentication" and "Integrated windows authentication"?
What do you mean by "Add your domain name"?
When you go to the directory security tab, in the authentication windows, when you choose basi authentication, you see a field named Default Domain. Enter your domain name in that foeld. If your domain name is, then enter
I'm assuming that the IIS is installed on a Domain Controller accroding to your post.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

donvfpAuthor Commented:
I selected "basic authentication" and deselected all other authentication methods. I entered the domain in the default domain box. I restarted the IIS services.
The website still performs as before.
# Open the MMC and select the site or directory you wish to protect
# Right click and select properties on that site / directory
# Select the directory security tab
# Click the "edit" button on authentication control
# Disable basic authentication and enable NTLM / Integrated Windows Authentication
# Now your site is setup to support NTLM authentication you need to change the NTFS permissions for the directory you want to protect and add any users or groups you wish to have access

After you do this, restart IIS. Do you receive a log in box?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
donvfpAuthor Commented:
The site still performs the same
I only receive a login prompt when accessing the site through

How is it possible that this site exists as four separate sites but entered in IIS as one?
A single site cannot exists at HTTPS and HTTP without being two websites in IIS because it binds with a port number. http is 80 and https is 443.

So, you don't get a login screen when going to what happens? it lets you in without authentication?
donvfpAuthor Commented:
Exactly. It lets me in without authentication.
have you tried to access the site from a computer that is logged in with a user who should not have access?

integrated windows authentication can take your username/password from the logged on local account and use that as authentication. are you sure this is not happening?
donvfpAuthor Commented:
Well, I figured this out about a week ago.
It turns out that I was making the changes in their website which was a separate branch not under Default Website of IIS.
The website that exists on the web was under Default Website of IIS and I did not realize it was there.

Thank you for all your help
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.