Windows 2025
Sponsored Link

IIS : Windows Authentication2024/12/18

 

Set Windows Authentication to a folder to require authentication for users.

For different point from Basic Authentication, On Basic Authentication, user authentication form is always displayed and it needs to input user information to authenticate manually.

However, On Windows Authentication, if Client Computer is Windows OS and he accesses to the Windows Authentication folder, current logon user information is sent to IIS server automatically by Web Browser and authentication process runs with it.

Therefore, if IIS Host and Client Windows Host are in the same Windows AD Domain, when accessing to Windows Authentication folder from Windows Client, authentication form is not displayed and can access to the contents in the folder without inputting user infomation because authentication process runs automatically by Web Browser.

Furthermore, even if Client Windows computer is out of AD Domain, there is a case to be able to access without inputting user authentication infomation manually. If there is a local user on Client Host that has the same username and same password with a user on IIS Host, and also set a configration on Web browser that target site is added as a Safe Site, then, authentication process succeeds automatically.

For a few case of above only, authentication form in not displayed, but on other cases, it needs to input user authentication infomation manually, the behavior is the same with Basic Authetication on users viewpoint.

[1] Run PowerShell with Admin Privilege and Configure.
On this example, Configure settings that create a [auth_win] folder under the [RX-7.srv.world] site and set Windows Authentication to the Folder.
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

# install windows Authentication feature
PS C:\Users\Administrator> Install-WindowsFeature Web-Windows-Auth 

Success Restart Needed Exit Code      Feature Result
------- -------------- ---------      --------------
True    No             Success        {Windows Authentication}

# restart IIS
PS C:\Users\Administrator> Restart-Service W3SVC 

PS C:\Users\Administrator> Get-Website 

Name             ID   State      Physical Path                  Bindings
----             --   -----      -------------                  --------
Default Web Site 1    Started    %SystemDrive%\inetpub\wwwroot  http *:80:
RX-7.srv.world   2    Started    C:\inetpub\newsite             http *:80:rx-7.srv.world
                                                                https *:443:rx-7.srv.world sslFlags=0

# create [auth_win] folder
PS C:\Users\Administrator> New-Item -ItemType Directory -Path "IIS:\Sites\RX-7.srv.world\auth_win" 

    Directory: WebAdministration::\\RX-7\Sites\RX-7.srv.world


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----        12/17/2024   6:38 PM                auth_win

# disable anonymous authentication for target folder
PS C:\Users\Administrator> Set-WebConfigurationProperty -Filter '/system.webServer/security/authentication/anonymousAuthentication' -Location "RX-7.srv.world/auth_win" -Name enabled -Value False 

# enable Windows authentication for target folder
PS C:\Users\Administrator> Set-WebConfigurationProperty -Filter '/system.webServer/security/authentication/windowsAuthentication' -Location "RX-7.srv.world/auth_win" -Name enabled -Value True 

# restart target Web site
PS C:\Users\Administrator> Restart-WebItem -PSPath 'IIS:\Sites\RX-7.srv.world' 

# create a test page
PS C:\Users\Administrator> Write-Output "Windows Authentication Test Page" | Out-File C:\inetpub\newsite\auth_win\index.html -Encoding Default 

# verify accesses ⇒ [-u (username)]
# need authentication except specific some cases written in the beginning of this page
PS C:\Users\Administrator> curl.exe --ntlm -u Serverworld https://rx-7.srv.world/auth_win/ 
Enter host password for user 'Serverworld':     # user password
Windows Authentication Test Page
IIS : Windows Authentication (GUI)
 

On GUI configuration, set like follows.

[2] Run [Start] - [Server Manager] and enter [Add roles and features], then check a box [Windows Authentication] and install it.
[3] After installing, restart IIS.
[4]
Create a folder that you'd like to set Windows Authentication.
On this example, create a [auth_win] folder for it. Also add NTFS access permission for users or groups you'd like to allow to access to the folder.
Run [Start] - [Server Manager] and Click [Tools] - [Internet Information Services (IIS) Manager], and then Select a folder you'd like to set Windows Authentication on the left pane and then Open to click [Authentication] on the center pane.
[5] Disable [Anonymous Authentication] and Enable [Windows Authentication] like follows.
[6] Create a test page under the folder you set Windows Authentication and verify accesses.
If Client host is also Windows and that is in specific cases written in the beginning of this page, the authentication form like follows are not displayed, but on other cases, following authentication form is displayed and required to input user authentication infomation.
[7] That's OK if successfully authenticate and test page is shown normally.
Matched Content