84
votes

I'd like to add basic authentication to my website. I followed the instructions in the MSDN article on Configure Basic Authentication (IIS 7)

To use the UI

  1. Open IIS Manager and navigate to the level you want to manage. For information about opening IIS Manager, see Open IIS Manager (IIS 7). For information about navigating to locations in the UI, see Navigation in IIS Manager (IIS 7).
  2. In Features View, double-click Authentication.
  3. On the Authentication page, select Basic Authentication.
  4. In the Actions pane, click Enable to use Basic authentication with the default settings.
  5. Optionally, in the Actions pane, click Edit to type the default domain and realm.
  6. In the Edit Basic Authentication Settings dialog box, in the Default domain text box, type a default domain or leave it blank. Users who do not provide a domain when they log on to your site are authenticated against this domain.
  7. In the Realm text box, type a realm or leave it blank. In general, you can use the same value for the realm name as you used for the default domain.
    • Important
      If you enter the default domain name in the Realm text box, your internal Microsoft Windows domain name may be exposed to external users during the user name and password challenge.
  8. Click OK to close the Edit Basic Authentication Settings dialog box.

Here's what I've done so far:

IIS Manager - Authentication Authentication Page - Basic Authentication

Now I need to create a user account for the basic authentication.

Does anyone know how to create users in IIS Manager?

9
were you able to get the solution for this?pranag

9 Answers

79
votes

Right click on Computer and choose "Manage" (or go to Control Panel > Administrative Tools > Computer Management) and under "Local Users and Groups" you can add a new user. Then, give that user permission to read the directory where the site is hosted.

Note: After creating the user, be sure to edit the user and remove all roles.

25
votes

I know this is a really old question but I wanted to add a bit of explanation that I discovered the hard way (this is n00b information).

"Basic Authentication" shares the same accounts that you have on your local computer or network. If you leave the domain and realm empty, local accounts are what are actually being used. So to add a new account you follow the exact process you would for adding a normal new user account to your local computer (as answered by JoshM or shown here). If you enter a domain and realm you can create network accounts in your local active directory and these are what will be used to log the user in and out.

Because it has been around for so long, basic authentication is generally compatible with any browser/system out there but it does have to major flaws:

  • user and password are sent in the clear (except over SSL)
  • you need to have a user account for each user or client

For more information about basic authentication or user accounts see the following MSDN page.

8
votes

I was able to achieve Basic Authentication on Windows Server 2012 doing the following:

Select your site within IIS and choose Authentication enter image description here

Ensure Basic Authentication is the only enabled option enter image description here

THEN! Add a username and password via the Server Manager. Select Tools -> Computer Management enter image description here

Under System Tools -> Local Users and Groups -> Users right-click anywhere in the middle pane, choose New User.. then fill in the credentials you want to use. enter image description here

Now when you navigate to the site in the browser you should get prompted with an authentication dialog:

enter image description here

7
votes

If you create a user with the advanced user management (from command line: netplwiz), then modify the group, remove users, and add iis_users. They will be able to authenticate to your web page, but not the computer.

5
votes

Unfortunatelly, for IIS installed on Windows 7/8 machines, there is no option to create users only for IIS authentification. For Windows Server there is that option where you can add users from IIS Manager UI. These users have roles only on IIS, but not for the rest of the system. In this article it shows how you add users, but it is incorrect stating that is also appliable to standard OS, it only applies to server versions.

3
votes

It looks to me like Windows 8 and IIS 7 no longer provides any UI to create a user name and password for basic authentication that is NOT a windows local user account. It is clearly a superior approach to create an IIS-only user/password authentication pair, but it is not clear and easy how it is done.

Command line tools exist for this purpose. Some people create a Windows account and then remove the Log on Locally User Privilege.

1
votes

Configure basic authentication using the instructions from microsoft. But for the Default Domain Name, type your computer name. To find your computer name, click start, right-click computer, click properties, and search for your computer name there :)

Next, create users like you would normally do on windows 7. or if you don't know how to do it, go control-panel, users, add account.....blah blah blah.... Get It?

Next go to iis and set permissions for the user you just created. Be carefull to set the permissions to make it exactly how you want it.

That's all! To login, the username and password!

NOTE: The username should be simple letters, not capital. I'm not sure about this, that's why i told you this.

1
votes

Just to add a note, since I can't comment without 50+ rep...

If you have FIPS enabled on the server, it doesn't allow you to create users. Because IIS v8 (and lower I would imagine) does not use FIPS encryption algorithms. It would be great if it supported it , because obviously a user account in windows is insecure compared to a virtual user mapped to an isolated folder. Too bad.

enter image description here

1
votes

in iis manager click directory to protect.

choose authorization rules.

add deny anonymous users rule.

add allow all users rule.

go back to: "in iis manager click directory to protect" click authentication disable all except basic authentication.

the directory is now protected. only people with user accounts can access the folder over the web.