I have a website hosted on an IIS 7.5/Server 2008 R2 Server. I want to use SSL and Basic Authentication on one file in the site. This used to be easy on sub-7 IIS versions, how can I do it on 7.5?
Ssl – Use SSL only on one file in iis 7.5
iisiis-7iis-7.5ssl
Related Solutions
Update: The original question was for Windows Server 2008, but the solution is easier for Windows Server 2008 R2 and Windows Server 2012 (and Windows 7 and 8). You can add the user through the NTFS UI by typing it in directly. The name is in the format of IIS APPPOOL\{app pool name}. For example: IIS APPPOOL\DefaultAppPool.
IIS APPPOOL\{app pool name}
Note: Per comments below, there are two things to be aware of:
- Enter the string directly into the "Select User or Group" and not in the search field.
- In a domain environment you need to set the Location to your local computer first.
Reference to Microsoft Docs article: Application Pool Identities > Securing Resources
Original response: (for Windows Server 2008) This is a great feature, but as you mentioned it's not fully implemented yet. You can add the app pool identity from the command prompt with something like icacls, then you can manage it from the GUI. For example, run something like this from the command prompt:
icacls c:\inetpub\wwwroot /grant "IIS APPPOOL\DefaultAppPool":(OI)(CI)(RX)
Then, in Windows Explorer, go to the wwwroot folder and edit the security permissions. You will see what looks like a group (the group icon) called DefaultAppPool. You can now edit the permissions.
However, you don't need to use this at all. It's a bonus that you can use if you want. You can use the old way of creating a custom user per app pool and assigning the custom user to disk. That has full UI support.
This SID injection method is nice because it allows you to use a single user but fully isolate each site from each other without having to create unique users for each app pool. Pretty impressive, and it will be even better with UI support.
Note: If you are unable to find the application pool user, check to see if the Windows service called Application Host Helper Service is running. It's the service that maps application pool users to Windows accounts.
With regard to your second question about how to ensure that configuration changes are persisted to a site's web.config
rather than applicationHost.config
, this can be controlled via Feature Delegation.
If you navigate to the machine node of IIS Manager you will see an icon named "Feature Delegation":
Launch this IIS "applet" and you will be presented with a list of features that can have their configuration delegated to web.config
.
Settings that are marked Read/Write will usually have their settings written to the web.config
file. Settings that are marked Read Only will usually have their settings written to applicationHost.config
and cannot be overridden in the web.config
file.
As it so happens the <windowsAuthentication>
configuration can be delegated to the web.config
file.
Minor Gotcha:
Not all of the applets surface the full range of settings you can configure. A good example of this as it so happens is the <windowsAuthentication>
useAppPoolCredentials
attribute. It's no-where to be seen in the Authentication applet, not even under Advanced Settings.
However you can get at this value (and pretty much everything else) via the Configuration Editor. If you navigate to your web site's node in the left hand pane in IIS manager you will see this icon under Management:
If you launch the Configuration Editor you'll be presented with a dropdown list containing a tree of various settings:
If we select the /system.webServer/security/authentication/windowsAuthentication
node we are presented with the full spectrum of settings that can be changed. Here we can see the setting we're interested in (useAppPoolCredentials
):
You can choose whether to configure the values for the website in web.config
or in applicationHost.config
from the From: drop down list next to the config section tree drop down:
If a section has not been delegated as Read/Write in the web.config
then you'll see the following:
We get an alert saying that this particular feature is locked, all of the settings are greyed out and disabled and there's a padlock indicating that child settings of this feature are also locked out.
Finally, not all settings can be delegated, for example site bindings, application pool, virtual directories.
Best Answer
To enable, File Level Authentication in IIS 7 / 7.5
Follow the same procedure for SSL Settings as well to enable SSL for just a single file.
Source: http://www.dotnetscraps.com/dotnetscraps/post/Did-you-know-Enable-File-Level-Authentication-in-IIS-7-75.aspx