How To Configure Authentication and IIS 7.0 URL Authorization

In the former IIS versions, it was pretty difficult to carry out authorization. Due to the reason that IIS worked with only the identities of Windows. You would have to go and set up Access Control Lists on directories and files in the file system.

It was a very tedious task due to the complexity of ACL UI and then, the rules for authorization are not properly copied from one machine to another. URL Authorization is used by IIS 7.0 and other higher versions. Instead of putting rules for authorization of the underlying resource for the file system, it lets you put the rules on the exact URL.

It is in the web.config files that the configurations for authorizing the IIS URL is stored and you share the rules for authorization together with the content of the application.

Below is how to authorize the IIS URL on the 2008 Beta 3 Windows Server and the Service Pack 1 of the Windows Vista platform.


In order to carry out the setup, make sure you have installed the above listed IIS features over the defaults below:

"URL Authorization" under "Internet Information Services" -" World Wide Web Services" - "Security"
"ASP.NET" under "Internet Information Services" - "World Wide Web Services" - "Application Development Features"


Let us create a scene where in your possession is a directory which is secure that only Alice, Bob and those in the Admin group can have access to. In the directory is a file we call bob's Secret.aspx that is to be accessed by Bob alone.

Scene Setup

We need three different users to set this scene up Alice, Bob, and Fred. Also, we will require a fresh group we will call Bob And Friends that Jane and Ryan are in it as members. Use the Windows User Manager to set the three different accounts and also, the group. The commands below can be used also in this manner.


net user Alice<password_of_your_choice> /add
net user Bob<password_of_your_choice> /add
net user Fred<password_of_your_choice> /add
net localgroup Bob And Friends /add
net localgroup Bob AndFriends Alice /add
net localgroup BobAndFriends Bob /add

The steps below will guide you in doing that.

Step 1: Navigate  To The Directory

Open the explorer first and navigate to the directory tagged “%systemdrive%inetpubwwwroot”

Step 2: Create Directory

After that, create a new directory which you will name “secure”

Step 3: Create Fill

Then, enter into that new directory you just created and make a file which you would call “default.aspx”. This can be done with the use of notepad or another text editor.

Step 4: Paste Code

When that is done, the code below should be pasted into the page of the default.aspx file.

string current User = Request.ServerVariables["LOGON_USER"];
if (currentUser == "")
currentUser = "anonymous";
Response.Write("<b>Current User:</b> " + currentUser);

Step 5: Create 2nd File

You then make a new file again which you namebobsSecret.aspx and paste the code below into the newly created file.

HTML Script

stringcurrentUser = Request.ServerVariables["LOGON_USER"];
if (currentUser == "")
currentUser = "anonymous";
Response.Write("<b>Current User:</b> " + currentUser);
<b>My secret:</b> I used Apache before I discovered IIS7.</b> ");

Hence, in order to see whether the pages are working, access the two directories through these links “http://localhost/secure/” and the “http://localhost/secure/ryansSecret.aspx

How To Configure Authentication

The word authentication literally means "who" wishes to gain access and authorization provides answer to "if" authorized "who" who is it was authorized to have such privilege. Hence, before you can carry out experiments on the authorization of the URL, you must be sure that authentication has been enabled because there will be no answer to the “if” part of the question if the person that wishes to gain access isn’t known.

To carry out the authentication, be sure to follow the steps below cautiously.

Step 1: Launch The INETMGR

You can launch the INETMGR by keying the code“INETMGR” into the menu referred to as  "Start Search".

Step 2: Select Directory

You will see a machine node in the tree view at the left.. Select the node tagged "Default Web Site" and when it opens, choose the directory you had named “secure”.

Step 3: Navigate to The  Authentication Tab

Click twice on the "Authentication."

Step 4: Disable And Enable Authentication

Move ahead and enable the option tagged "Basic Authentication” after you have disabled "Anonymous Authentication".As soon as you are done with this, request once more the “http:/localhost/secure” and also the “http:/localhost/secure/bobsSecret.aspx”. This will bring forth a list you are to fill “Alice” in the username space and password thus authenticating you as Alice.

Note that if you make use of Internet Explorer, then you can as well tap Ctrl+F5 to make the Internet Explorer refresh the ASP.NET page cached version.

How To Configure URL Authorization

Hence, you would now make the both pages secure to allow it to be accessed by only Alice and Bob with the following steps below:

Step 1: Select Rule Type

Click twice again on the web directory tagged “secure” and choose the "Authorization Rules".

Step 2: Remove Rule

Then, you remove the rule tagged "Allow All Users"

Step 3: Incorporate Allow Permission

When removed, select the "Add Allow Rule…" action and choose the radio button tagged "Specified roles or user groups". After that, include “BobAndFriends” and when you have done that select the button that says “OK”.

How To Configure Authentication and IIS 7.0 URL Authorization

Step 5: Close Windows

After that, make sure you exit every other Internet Explorer window due to the fact that those credentials you keyed in the last step would be cached by Internet Explorer.

Step 6: Try To Access Page

Open the Internet Explorer and use Fred's credentials to try to gain access to the page, the result is you being denied access. But if you make use of the credential for Alice or Bob, you will gain access immediately.

How TO Configure URL Authorization For A One Web Page

But when you get to this point, there is still a problem as BobsSecret.aspx can be accessed by Alice. Therefore, we go through another set of steps in order to manage the issue and fix it. .To do this follow the steps below:

Step 1: Open Content View

Click twice again on the web directory tagged “Secure” and choose "Content View" located at the page’s bottom.

Step 2: Select File

This opens and inside the secure folder, it displays a file list where you will see the "bobsSecret.aspx" and the "default.aspx" files.

Step 3: View Feature

Then, you right click on the bobsSecret.aspx file and choose the "Feature View" option.

How To Configure Authentication and IIS 7.0 URL Authorization

The changes you are making are for only the page for bobsSecret.aspx as shown on the status bar.

Step 4: Open The Authorization Rules

After that, open once more the "Authorization Rules" and you will see the settings which have been inherited, i.e. the bobsSecret.aspx can be accessed by the BobsAndFriends group.

Step 5: Remove Rule

Ensure that the rule for "BobsAndFriends” is removed.

Step 6: Add Rule

You then choose the "Add Allow Rule…" option

Step 7: Specify The Users

Then you choose the radio button for the "Specified users:" and insert the name “Bob” and click on the “OK” button.

How To Configure Authentication and IIS 7.0 URL Authorization

Step 8: Shut down Internet Explorer Windows

Then shut down every other window of the Internet Explorer and hit the “http://localhost/secure/bobs.Secret.aspx”.

Step 9: Gaining Access

Hence set, it is only when the credentials for Bob is entered that you can gain access.

Configuring Advanced URL Authorization

In order to specify the settings of the URL Authorization, you don’t need to make use of the User Interface. The rules of the URL Authorization can be specified directly in the file of your web.config. To do this, make use of the below codes.

<?xml version="1.0" encoding="UTF-8"?>
<removeusers="*"roles=""verbs="" />
<addaccessType="Allow"roles="BobAndFriends" />
<removeusers=""roles="BobAndFriends"verbs="" />
<addaccessType="Allow"users="Bob" />


There you have it all the information you require to configure Authentication and the authorization of the IIS 7.0. You shouldn’t encounter any problem if you follow these steps carefully.

Check out these top 3 Windows hosting services:

Was this article helpful?