2

I have created an employee webpage with a lot of company info, links, etc., but I want to protect the page because it contains some confidential company information. I am running IIS7 on Windows Server 2008 R2, and I already have the site setup as a normal, non-protected site. I want all active directory users to have access to the site. This is not an intranet site, it is exposed to the internet. I tried setting it up using Windows Authentication, but I had problems with multiple login prompts, etc. I just want a simple form for users to enter their credentials and have access to the site, and I need it to query the AD for login. I've searched the web for a guide on this, but I can't seem to find one that fits my situation. This is not a Web App. It is just a simple html site.

Does anyone have any suggestions or a link to a guide on this?

Thanks so much! -LB

Luke
  • 51
  • 3

1 Answers1

3

If the server isn't directly exposed to the internet, but is exposed via a reverse proxy like IAG, UAG, TMG, then the simplest way to set this up is to enable forms based authentication there.

If it's directly exposed to the Internet, a) urgh, are you sure you want this?, b) look into using IIS Forms-Based Authentication - it's installed with ASP.Net and can be configured with a variety of authentication providers, but won't run against non-ASP.Net content by default - you'll need to toggle the ManagedHandler precondition for the FormsAuthenticationModule in order for it to work.

Don't forget SSL to protect the credentials when being sent via the web form.

TristanK
  • 9,073
  • 2
  • 28
  • 39
  • +1 for "urgh, are you sure you want to do this?" – Ward - Trying Codidact Dec 31 '11 at 10:08
  • Just curious, but why do you ask if I would want to do this? Is there a better alternative? – Luke Jan 01 '12 at 22:20
  • So the "sure you want to do this" refers to the "this server is on the Internet" part; it might already be reverse-proxied or otherwise protected, but the question doesn't provide any details on this, and creates the impression that a social engineering/phishing goldmine has been established on a relatively unprotected server. It is absolutely the right approach to want to protect that information, and I commend you for having reached that conclusion, but having a server directly exposed to the Internet with a questionable security configuration is often how breaches start. – TristanK Jan 01 '12 at 23:29
  • Ah, no no no. The entire server is not directly exposed to the Internet, I just have port 80 opened in the firewall. Is there more I should be doing? – Luke Jan 01 '12 at 23:42