Creating limited logons for access to a website in IIS 10

Hi,

What is the recommended way to create a limited login to an admin section for a specific website in Windows 2016 for a public-facing webserver in IIS?  I see several options: Basic/Digest/Windows authentication methods.  I'd like not to have to add a local account for each client if possible, but will if I need to.  Part of their admin functionality is to upload and manage images, if that has any impact.

Thanks!

--Ben
Ben ConnerCTO, SAS developerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dan McFaddenSystems EngineerCommented:
What are you using to manage content on the website?  Usually this would be controlled in the application itself.  The authentication configuration is based on what technology the backend uses.

Dan
0
Ben ConnerCTO, SAS developerAuthor Commented:
Hi Dan,

This site uses Coldfusion.  I want to restrict access to the admin folder.  But for the sake of this question, let's say it was a static site and I didn't want a given folder to have public access.   ?

--Ben
0
Dan McFaddenSystems EngineerCommented:
Ben,

It's not that simple.  If you want to control access to a specific folder (directory, URL) you need to have some way of indicating which user IDs can access that location.  Without doing this in code (of userIDs in the CMS) you will need to change the folder's permissions (ACLs) to limit what user IDs can enter the location.  This means having a local account (or domain account if needed) that has access to the resource.

Then you can enable BASIC or Windows authentication.  But I do not recommend any authentication which sends credentials without an SSL Certificate installed and properly configured on the site.

The best way to accomplish this, would be to build the authentication functionality into the app at the code level.  Then enable authentication in the admin section of the site.

BTW, this process is the same for IIS7+.

How to article:  http://www.iisunderground.com/password-protect-a-file-or-directory/

Reference links:
Basic Auth:  https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/basicauthentication
Windows Auth: https://docs.microsoft.com/en-us/iis/configuration/system.webServer/security/authentication/windowsAuthentication/

Dan
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ben ConnerCTO, SAS developerAuthor Commented:
Thanks, Dan.  Yes, this site has a cert.  No issues there.  Will take a look at the articles and see what I did wrong. :)

Thanks!

--Ben
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.