Is it possible to setup basic authentication for 1 specific domain binding only?

Question

I just want to enable basic auth for 1 domain binding only and leave the rest public accessible. Is this possible with IIS?

Answer 1

The binding information for a web site are used to determine to which web site incoming requests are routed. (by Windows Activation Service and http.sys).

For each web site you can enable the various authentication methods for the whole site, or a specific url within a site, but not based on the host name.

You have at least two options:

Option one is to use two separate web sites pointing to the same physical directory and using the same web.config in the site root.

You can still have different authentication methods for the two sites.

The drawback here is that you have two sets of logfiles and certain changes to the configuration have to be done twice as well.

Option two involves the URL Rewrite module

Lets assume you have two host names bound to the site normal.serverfault.com and secure.serverfault.com.

Create a virtual directory secure under the site root but point it to the same physical directory of the site itself (same as the root).

For the virtual directory, disable anonymousAuthentication and enable basicAuthentication.

Now add a rewrite-rule to the site:

<rewrite>
  <rules>
      <rule name="Secure">
          <match url=".*" />
          <conditions>
              <add input="{SERVER_NAME}" pattern="^secure\.serverfault\.com$" />
          </conditions>
          <action type="Rewrite" url="/secure/{R:0}" />
      </rule>
  </rules>
</rewrite>

We are re-writing all requests to use the secure virtual directory but only if the host name is secure.serverfault.com

Now users using normal.serverfault.com can still access the site without authentication, but when using secure.serverfault.com they have to login.

One problem I see with this option is that the web.config in the root of your site is basically processed twice for the re-written requests.

Even though it only exists once physically, when executing a request in \secure\ it is once seen as the local one for the virtual directory and once more for the parent directory. So you have to make sure you don't have any settings that don't support this. For example <add... nodes can not be duplicated, you have to use <clear... or <remove... to work around this. Or you move settings into ApplicationHost.config.

You should test your site with this setup, but because the browser never knows the URL has been rewritten, it should work fine.