Windows Thread, IIS 6 Access control in Technical; Howdy,
We use IIS 6 to host intranet pages, used as pupils' homepage in IE. I want to roll this ...
22nd May 2008, 10:46 AM #1
IIS 6 Access control
We use IIS 6 to host intranet pages, used as pupils' homepage in IE. I want to roll this out for staff too, so have created a /staff/ directory in /wwwroot/ which i intend to set as staff's homepage.
How do i stop the pupils (sec. grp) viewing this?
Ta in advance.
IDG Tech News
22nd May 2008, 11:24 AM #2
Do staff & students authenticate to enter the site?
If there isnt any authentication then i guess theres nothing you can do in iis so you probably need to block parts of the site from students using a webfilter/proxy.
If authentication are setup then you just need to set permissions(ntfs) on the directory.
22nd May 2008, 12:01 PM #3
Can you explain more by authenticate on entry? Where's this set up in IIS? Haven't been elbow-deep in IIS too much so far
Anonymous access is set up - does disabling this force clients to authenticate?
22nd May 2008, 01:14 PM #4
In IIS you can setup authentication on the whole website of which ever folder/virtual directory you want. To get at it you just right click and go to properties, Directory Security. Under Authentication and Access Control>Edit. Here you untick Enable Annonymous Access and select the authentication method you want to setup. If you untick Enable Annoymous Access, yes it will need to authenticate to gain access.
22nd May 2008, 01:55 PM #5
If you are using IE on the internal network you should be able to set up the authentication method on the staff folder to use Windows Authentication and then only allow the staff group to view it. Thats how I setup my internal admin site.
22nd May 2008, 02:00 PM #6
Yep, change the authentication method for the site to basic or windows and then control access via the NTFS permissions on the folder holding the site files. Most restrictive always wins as per usual...
Originally Posted by SYNACK
22nd May 2008, 02:40 PM #7
I did try that earlier - disable anonymous access and enable Windows auth. When i tested it, it popped up a username and password dialog :/ Not quite what i'm after. I was, though, testing from my machine running IE as a test pupil. I'll go try on a test PC actually logged in as said test student account...
Editypoo: Yep, that's the puppy. Cheers lads!
Last edited by Ryan; 22nd May 2008 at 02:48 PM.
22nd May 2008, 02:49 PM #8
You may need to make sure that IE is set to allow integrated authentication - see attachment - there should be an option in GP to set this domain wide.
Originally Posted by Ryan
22nd May 2008, 02:53 PM #9
Checked it and it's enabled for the test account, so will be the same for all students. It must be a discrepancy between using "Run as" and being fully logged on. Who knows. It's not letting them in anyway, so job done
22nd May 2008, 02:57 PM #10
This should do it in GP:
User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Pannel > Security Page > Intranet Zone > Logon Options : Automatic logon with current user name and password
This is for the IE7 ADM templates and relys on your site being detected as part of the intranet. You can change it to add this behavior to other zones though.
Edit: Ah looks like its already configured properly, I'll leve this here just in case it helps anyone else
Last edited by SYNACK; 22nd May 2008 at 03:03 PM.
22nd May 2008, 03:09 PM #11
Thanks dude. Have checked and enabled that explicitly. Won't hurt.
22nd May 2008, 03:27 PM #12
Hmm. Using a test staff account, it displays the "Connect to" dialog box - arg.
Everything is default in IIS. I have set the /staff/ dir to deny students. Disabled anan access and enabled Integrated Windows auth.
22nd May 2008, 04:17 PM #13
I assume you've already altered gpo for staff as instructed by synack above so just to see exactly whats wrong, try entering the user details and see if you have access i.e. Username: DomainName\TestStaff, Password: password. If you can gain access to the folder then you know its problem with your authentication method and if you cant, its something to do with permissions. Is Integrated Windows Authentication the only thing ticked?
22nd May 2008, 04:43 PM #14
Is the site showing in IE as in the intranet zone or internet zone? If the latter, it will always ask for credentials. It does help if the url is something like http://machinename/staff rather than a fqdn or IP address...
Originally Posted by Ryan
22nd May 2008, 05:36 PM #15
Thx mate, yep - i've gotten as far as that. There's a few niggles, but i've almost cracked it. Mostly lack of experience on my part and an improperly configured IIS.
Last Post: 24th July 2009, 11:49 PM
By SYSMAN_MK in forum Web Development
Last Post: 15th April 2008, 10:37 PM
By Simcfc73 in forum Network and Classroom Management
Last Post: 23rd October 2007, 02:37 PM
By kamikaze in forum Network and Classroom Management
Last Post: 30th July 2007, 08:02 AM
By Nij.UK in forum Windows Vista
Last Post: 6th June 2007, 11:19 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)