Thursday, February 3, 2011

How do I secure a .NET (MVC) website prior to launch?

I have a .NET (MVC2) website that is in development. I have deployed it to some production infrastructure, and tested it over the internet with anonymous access (as it will be once it is live) and it works fine. Between now and the go-live date I would like to restrict access to a small test group.

However, when I turn off anonymous access (I'm using IIS 7 on Windows 2008 R2 64-bit) and enable Basic Authentication, two things go wrong: first, it interferes with the site authentication, and redirects to the configured site login page, and second, for some reason the stylesheets stop 'working'. i.e. the site appears as if it has no stylesheets, even though they are being downloaded correctly (as viewed in Fiddler / Firebug.)

What I want is to secure access to the server - I don't want to use Basic Authentication as the authentication mechanism for the MVC website - that is handled by standard forms authentication. I simply want to stop people snooping the site before it goes live.

I've had this before, and always struggled with the lack of an easy / obvious "protect this server with a password" functionality.

There must be a simple answer. (I'm thinking of a functional equivalent to a .htaccess file, but for IIS)?

[UPDATE] Following on from my near-miss (see answer below), what I want is Windows authentication to control access to the site, and ASP.NET authentication to control a user's interaction with the website (their identity, whether the appear logged in / out, etc.)

  • OK - so this may have been my mistake. In order to get IIS/ASP.NET playing nicely you cannot simply rely on the IIS Authentication module. Whilst I was busy enabling / disabling options in the IIS manager snap-in, the problem I was having (the redirect) was caused by a web.config setting:


    <authentication mode="Forms">
    <forms loginUrl="~/logon" protection="All" path="/" />
    </authentication>

    Irrespective of the option you select in IIS (Anonymous, Basic, Windows, Forms etc.) the web.config seems to override / interfere with the selection.

    The answer therefore is to replace the authentication element in web.config with one that states Windows authentication:

    <authentication mode="Windows"></authentication>

    And then to remove anonymous access via the IIS module, and select Basic instead.

    alt text

    Hugo Rodger-Brown : Actually - this doesn't work - as it now logs the user into the site as the Windows user - which doesn't now make any sense. I can now express my problem a bit better though: I want Windows authentication to control access to the site, and ASP.NET authentication to control a user's interaction with the website (whether they appear logged in, access to secure areas - my account etc.)
  • You may be able to do what you want by setting IP Address and Domain Restrictions for the site. It is an option in IIS Manager.

    From beckelmw

0 comments:

Post a Comment