IIS 7: Configure a New Web Site for ASP.NET 2.0 and Windows Integrated Authentication

In this article I will review the steps needed to get IIS 7 (on Windows 2008 server) hosting ASP.NET pages. I cover the basic steps to set up IIS7  in a previous article at:  https://jwcooney.wordpress.com/2011/08/17/iis-7-on-windows-7-setup-steps-to-get-iis-running-asp-net-files/

When working with a fresh installation of IIS 7 there are a few steps that need to be taken when setting up a new ASP.NET Web site. In this case I will show how to set up a new site running ASP.NET 2.0 that will use Windows Impersonation as an Authentication method.

1. First open IIS (‘Start’, then ‘All Control Panel Items’, then Administrative tools, then Internet Information Services (IIS) Manager).

2. For starters we will need to make sure ASP.NET 2.0 has been registered under the Application Pools section. The Application Pools section is right below the server name In IIS.

3. Left click Application Pools to view the existing pools. If no ASP.NET 2.0 Application Pool exists yet click the ‘Add Application Pool’ option and in the pop-up window enter a descriptive name, select the .NET 2 Framework Version, leave the Managed pipeline mode as ‘Integrated’, and click ‘OK’ to save the new pool.

If .NET 2.0 has not been installed on the Server it may not appear as an option under the dropdown list of available .NET framework versions, and in this case one will need to download and install it separately. Currently Microsoft hosts the download of the .NET Framework Version 2.0 Redistributable Package at:

http://www.microsoft.com/en-US/download/details.aspx?id=6523

4. When the new Application Pool has been created its credentials must be updated. Click the ‘Advanced Settings’ option for the newly created .NET 2.0 Application Pool. In the pop-up that appears scroll to the Process Model section, and in the ‘Identity’ option dropdown change the selection from the default ‘ApplicationPoolIdentity’ to ‘NetworkService’.

5. Once the new ASP.NET 2.0 Application pool has been set up a new Web site can be registered to use the Application Pool. Expand the ‘Sites’ node. The Default Web Site should appear and can be disabled.

6. Before a new site can be added in IIS, make sure to update the Domain Name Server with the new name of the Web site and map it to the new server.

7. Once a DNS mapping exists the new site can be registered in IIS. In the IIS MMC right click the ‘Sites’ node and select the ‘Add Web Site’ option.

8. In the pop-up Window that appears enter the new site name that was registered earlier in the DNS mapping for the server, and click the ‘Select’ button beside it to update the Application Pool from the default pool to the newly created ASP.NET 2.0 pool.

9. Below the name, enter the physical path on the server to the Web site and then click the button below labeled ‘Connect as…’ . In this case the default ‘Pass Through Authentication’. When Pass-Through Authentication is selected and the user is not authenticated IIS will use the application pool identity.

Setting the Application Pool to the Network Service Option and the Web site to use Pass-Through Authentication will force the site to authenticate the user against the network so the ASP.NET User.Identity option will correctly obtain the network account of the person browsing the Web site (the same way that clicking ‘integrated Windows authentication’ worked under the Directory Security tab in IIS 6). This is described nicely at the following URL:

http://stackoverflow.com/questions/5307127/what-is-pass-through-authentication-in-iis-7

Furthermore, once the Web site is created it is important to set the ‘Physical Path Credentials Logon Type’ (Found under ‘Manage Sites’, ‘Advanced Settings’. The default is plain text which is insecure, so we can change this to the ‘Network’ option which is better.

Google books has a good description of managing IIS 7 Web security:

http://books.google.com/books?id=KaDFpUGjmUcC&pg=PA178&lpg=PA178&dq=physical+path+credentials+logon+type&source=bl&ots=PPmJt86EiD&sig=DXD-VUKalNcDiWuymdbs8sRNLgU&hl=en&ei=_FBWTofgBPSfsQK9r6myDA&sa=X&oi=book_result&ct=result&resnum=6&sqi=2&ved=0CE8Q6AEwBQ#v=onepage&q=physical%20path%20credentials%20logon%20type&f=false

10. Below the ‘Connect as…’ option in the ‘Binding’ section leave the Type as ‘http’, and the IP address as ‘All Unassigned’ at port 80. However, under Host name enter the new site name that was registered earlier in the DNS mapping for the server.

11. Now Click the ‘OK’ button to create the new Web site. At this point the Web site should properly serve up ASP.NET 2.0 pages and should ensure that only valid network-authenticated users are able to access the Web site.

A good resource for further reading can be found at the Microsoft TechNet site:

http://technet.microsoft.com/en-us/library/cc772350%28WS.10%29.aspx