How to Properly Configure Password Protection using IIS Manager

I wrote this article because there seems to be some conflicting information on the Internet, but there is a simple way to password protect a directory in IIS with IIS Manager.

  1. First, connect to your site using IIS Manager.
  2. Next, highlight the root folder or the sub-folder you want to protect and then double click on the Authorization Rules module.

authorizationrules

3. Now, highlight the Allow All Users rule and click on the Remove link.

remove

4. Click on the Add Allow Rule… link which will bring up the window below.

add

5. Select the Specified users: option, enter a Windows/FTP username which has access to the site, and click on the OK button.

Now, when you enter the URL that points to the folder, you will be prompted to enter your Windows credentials to gain access.  If you prefer, you can create a web.config file with the following markup (or add it to an existing one) and place it the directory you want to protect.

< ?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system .webServer>
        <security>
            <authorization>
                <remove users="*" roles="" verbs=""></remove>
                <add accessType="Allow" users="WindowsUsername"></add>
            </authorization>
        </security>
    </system>
</configuration>

Leave a Reply