92

I'd like to add basic authentication to my website. I followed the instructions in the MSDN article on Configure Basic Authentication (IIS 7)

To use the UI

  1. Open IIS Manager and navigate to the level you want to manage. For information about opening IIS Manager, see Open IIS Manager (IIS 7). For information about navigating to locations in the UI, see Navigation in IIS Manager (IIS 7).
  2. In Features View, double-click Authentication.
  3. On the Authentication page, select Basic Authentication.
  4. In the Actions pane, click Enable to use Basic authentication with the default settings.
  5. Optionally, in the Actions pane, click Edit to type the default domain and realm.
  6. In the Edit Basic Authentication Settings dialog box, in the Default domain text box, type a default domain or leave it blank. Users who do not provide a domain when they log on to your site are authenticated against this domain.
  7. In the Realm text box, type a realm or leave it blank. In general, you can use the same value for the realm name as you used for the default domain.
    • Important
      If you enter the default domain name in the Realm text box, your internal Microsoft Windows domain name may be exposed to external users during the user name and password challenge.
  8. Click OK to close the Edit Basic Authentication Settings dialog box.

Here's what I've done so far:

IIS Manager - Authentication Authentication Page - Basic Authentication

Now I need to create a user account for the basic authentication.

Does anyone know how to create users in IIS Manager?

KyleMit
  • 30,350
  • 66
  • 462
  • 664
Joseph Bi
  • 1,166
  • 2
  • 9
  • 11

10 Answers10

87

Right click on Computer and choose "Manage" (or go to Control Panel > Administrative Tools > Computer Management) and under "Local Users and Groups" you can add a new user. Then, give that user permission to read the directory where the site is hosted.

Note: After creating the user, be sure to edit the user and remove all roles.

Josh M.
  • 26,437
  • 24
  • 119
  • 200
  • 12
    This is sub-ideal because it creates a vector for attack, allowing users to log into my machine. The approach where "IIS Management User" is created that has no login or local priveleges on my windows machine is superior. – Warren P May 29 '14 at 14:15
  • 8
    @WarrenP - No, you just remove all roles from the user after creation and they can't login or do anything you don't specifically give them permission to do. – Josh M. May 30 '14 at 00:10
  • 2
    So a local user account with no roles can not do anything? Good. The default role "local user" is the one granting login, and can be removed. – Warren P May 30 '14 at 13:39
  • @WarrenP - that is my understanding. And regardless, you should be setting a strong password on the user account. – Josh M. May 30 '14 at 16:54
  • 3
    I need to add this here because it took me some time to find it, after creating the user and removing all the roles as suggested by Josh M you need to change the general setting because by default the User must change password at next logon will be ticked and this will cause an issue, so what you want is to un-tick this and tick User cannot change password. – dori naji Aug 24 '16 at 10:21
27

I know this is a really old question but I wanted to add a bit of explanation that I discovered the hard way (this is n00b information).

"Basic Authentication" shares the same accounts that you have on your local computer or network. If you leave the domain and realm empty, local accounts are what are actually being used. So to add a new account you follow the exact process you would for adding a normal new user account to your local computer (as answered by JoshM or shown here). If you enter a domain and realm you can create network accounts in your local active directory and these are what will be used to log the user in and out.

Because it has been around for so long, basic authentication is generally compatible with any browser/system out there but it does have to major flaws:

  • user and password are sent in the clear (except over SSL)
  • you need to have a user account for each user or client

For more information about basic authentication or user accounts see the following MSDN page.

drew_w
  • 10,320
  • 4
  • 28
  • 49
16

I was able to achieve Basic Authentication on Windows Server 2012 doing the following:

Select your site within IIS and choose Authentication enter image description here

Ensure Basic Authentication is the only enabled option enter image description here

THEN! Add a username and password via the Server Manager. Select Tools -> Computer Management enter image description here

Under System Tools -> Local Users and Groups -> Users right-click anywhere in the middle pane, choose New User.. then fill in the credentials you want to use. enter image description here

Now when you navigate to the site in the browser you should get prompted with an authentication dialog:

enter image description here

Colin
  • 1,758
  • 1
  • 19
  • 24
9

If you create a user with the advanced user management (from command line: netplwiz), then modify the group, remove users, and add iis_users. They will be able to authenticate to your web page, but not the computer.

msrd0
  • 7,816
  • 9
  • 47
  • 82
Uwe Donaldson
  • 91
  • 1
  • 1
  • Thanks, that was exactly what I was searching for. The group is called "`IIS_IUSRS`" on local machines, though. – bjoster May 07 '19 at 08:53
  • IIS_IUSRS is not the correct group for this. "IIS_IUSRS is a built-in group has access to all the necessary file and system resources so that an account, when added to this group, can seamlessly act as an application pool identity." – cbp Jan 25 '21 at 11:02
6

Unfortunatelly, for IIS installed on Windows 7/8 machines, there is no option to create users only for IIS authentification. For Windows Server there is that option where you can add users from IIS Manager UI. These users have roles only on IIS, but not for the rest of the system. In this article it shows how you add users, but it is incorrect stating that is also appliable to standard OS, it only applies to server versions.

GrandMasterFlush
  • 6,269
  • 19
  • 81
  • 104
kristi_io
  • 439
  • 6
  • 9
  • when I create a local user, how do I use it in basic auth then? My created user is not recognized – spankmaster79 Jun 20 '14 at 08:28
  • Dont't forget to enable Basic authentification in IIS Server. – kristi_io Jun 22 '14 at 15:52
  • 1
    According to here (http://technet.microsoft.com/en-us/library/cc771311%28v=WS.10%29.aspx), the IIS Manager User is not a normal user. I think it's for management purpose. For adding user for basic Authentication, I agree with drew_w's answer. – smwikipedia Sep 07 '14 at 16:01
  • I don't think IIS Manager is meant for normal use. – smwikipedia Sep 09 '14 at 08:24
  • Can not authenticated when use IIS manager user for Basic Authentication – Johnny Qian Jun 15 '17 at 05:37
  • 3
    I don't know how this has gotten any upvotes. IIS Manager users are for the WMI service, not HTTP Basic auth. WMI is used for many things, such as publishing web apps via Web Deploy. Frontend user authentication is not one of those things. – Jason Carter Aug 14 '19 at 12:55
  • This answer is simply wrong. You cannot use IIS Manager users for Basic Authentication. You can use them for FTP auth, though. – The Conspiracy May 21 '20 at 19:26
4

It looks to me like Windows 8 and IIS 7 no longer provides any UI to create a user name and password for basic authentication that is NOT a windows local user account. It is clearly a superior approach to create an IIS-only user/password authentication pair, but it is not clear and easy how it is done.

Command line tools exist for this purpose. Some people create a Windows account and then remove the Log on Locally User Privilege.

Warren P
  • 65,725
  • 40
  • 181
  • 316
1

Configure basic authentication using the instructions from microsoft. But for the Default Domain Name, type your computer name. To find your computer name, click start, right-click computer, click properties, and search for your computer name there :)

Next, create users like you would normally do on windows 7. or if you don't know how to do it, go control-panel, users, add account.....blah blah blah.... Get It?

Next go to iis and set permissions for the user you just created. Be carefull to set the permissions to make it exactly how you want it.

That's all! To login, the username and password!

NOTE: The username should be simple letters, not capital. I'm not sure about this, that's why i told you this.

Alsan Ali
  • 11
  • 2
1

Just to add a note, since I can't comment without 50+ rep...

If you have FIPS enabled on the server, it doesn't allow you to create users. Because IIS v8 (and lower I would imagine) does not use FIPS encryption algorithms. It would be great if it supported it , because obviously a user account in windows is insecure compared to a virtual user mapped to an isolated folder. Too bad.

enter image description here

Barry
  • 362
  • 3
  • 14
1

in iis manager click directory to protect.

choose authorization rules.

add deny anonymous users rule.

add allow all users rule.

go back to: "in iis manager click directory to protect" click authentication disable all except basic authentication.

the directory is now protected. only people with user accounts can access the folder over the web.

P GS
  • 21
  • 2
0

@Colin

"Local Users and Groups" is windows authentication

JOEL
  • 29
  • 7