How to Restrict IIS Site Access to Specific Active Directory Groups Using Windows Authentication


2 views

When implementing AD group-based access control in IIS, the authentication process follows this sequence:

  1. Client browser sends request to IIS server
  2. IIS challenges for Windows credentials (NTLM/Kerberos)
  3. Domain controller validates credentials
  4. IIS checks group membership
  5. Access granted/denied based on authorization rules

Before implementing group restrictions, ensure your server has:

# PowerShell to verify Windows Authentication is installed
Get-WindowsFeature Web-Windows-Auth

# Install if missing
Install-WindowsFeature Web-Windows-Auth -IncludeManagementTools

1. Enable Windows Authentication

In IIS Manager:

  1. Select your website or application
  2. Double-click "Authentication"
  3. Right-click "Windows Authentication" → Enable
  4. Disable all other authentication methods

2. Configure Authorization Rules

For the specific site or virtual directory:

<configuration>
  <system.webServer>
    <security>
      <authorization>
        <add accessType="Deny" users="*" />
        <add accessType="Allow" roles="DOMAIN\YourADGroup" />
      </authorization>
    </security>
  </system.webServer>
</configuration>

3. Advanced Group Membership Handling

For nested groups or complex scenarios consider:

// C# code to check group membership programmatically
using System.DirectoryServices;

bool IsUserInGroup(string username, string groupName)
{
    using (var context = new PrincipalContext(ContextType.Domain))
    using (var user = UserPrincipal.FindByIdentity(context, username))
    {
        var groups = user.GetAuthorizationGroups();
        return groups.Any(g => g.Name.Equals(groupName, StringComparison.OrdinalIgnoreCase));
    }
}

401 Unauthorized Errors

Check these potential causes:

  • Client machine must be domain-joined
  • SPN (Service Principal Name) issues for Kerberos
  • Incorrect group name format (should be DOMAIN\GroupName)

Performance Considerations

For large AD environments:

<system.web>
  <identity impersonate="false" />
  <authentication mode="Windows" />
  <authorization>
    <allow roles="DOMAIN\YourADGroup" />
    <deny users="*" />
  </authorization>
</system.web>

For more granular control, consider:

  • URL Authorization with custom providers
  • Claims-based authentication with ADFS
  • Application-level role checking

Internet Information Services (IIS) provides robust authentication mechanisms that integrate seamlessly with Active Directory (AD). This allows system administrators to control access to websites at a granular level using existing AD groups.

Before implementing this solution, ensure you have:

• Windows Server with IIS installed

• Active Directory configured

• Appropriate permissions to modify IIS settings

• The AD group created with necessary members

Here's how to configure IIS to restrict access to a specific AD group:

1. Configure Authentication

First, enable Windows Authentication and disable anonymous access:


<configuration>
  <system.webServer>
    <security>
      <authentication>
        <anonymousAuthentication enabled="false" />
        <windowsAuthentication enabled="true" />
      </authentication>
    </security>
  </system.webServer>
</configuration>

2. Set Authorization Rules

Add authorization rules to restrict access to your AD group:


<configuration>
  <system.webServer>
    <security>
      <authorization>
        <add accessType="Allow" users="" roles="DOMAIN\YourADGroup" />
        <add accessType="Deny" users="*" />
      </authorization>
    </security>
  </system.webServer>
</configuration>
  1. Open IIS Manager and select your site
  2. Double-click "Authentication"
  3. Disable Anonymous Authentication
  4. Enable Windows Authentication
  5. Click "Authorization Rules"
  6. Add Allow rule for your specific AD group
  7. Add Deny rule for all users (*)

Test your configuration by:

1. Logging in with a user account that's a member of the allowed AD group

2. Attempting access with a non-member account

3. Checking IIS logs for authentication attempts

If you encounter problems:

• Ensure proper group name format (DOMAIN\GroupName)

• Verify the application pool identity has read access to AD

• Check that Windows Authentication is properly installed in IIS

• Examine the Security Event Log for authentication failures

For more complex scenarios, consider:

• Using location tags for path-specific restrictions

• Implementing URL Authorization with multiple groups

• Combining with IP restrictions for additional security layers

When implementing AD group restrictions:

• Large groups may impact authentication performance

• Consider nested group memberships carefully

• Evaluate the need for frequent group membership checks