This article is intended to be a collection of helpful links to resources for people (including myself) who are setting up and configuring IIS8.5 on Windows Server 2012. I am also providing a step-by-step example of setting up a new Web site in IIS and configuring it for Windows Authentication.
If you find this article useful, then take a look at my guide to setting up sites in IIS7 .
Getting Started
For starters, you will want to actually find IIS. Here is an article describing the steps:
http://technet.microsoft.com/en-us/library/jj635847.aspx
In case you are working with a fresh server install, here is a link to a step-by-step setup guide for first time configuration of IIS8 on Windows Server 2012:
http://www.iis.net/learn/get-started/whats-new-in-iis-8/installing-iis-8-on-windows-server-2012
Example Steps for Setting up a New Site with Windows Authentication
As an example, below are the steps to take if you want to set up your Web server with Windows authentication and ASP.NET 4.0. Windows Authentication identifies users on a network using their Active Directory accounts. The steps for setting up forms authentication are similar.
- First add your site to IIS8.
- Then create a new application pool that is set to:
- Set the .NET CLR dropdown to ASP.NET 4.0
- Set the Managed Pipeline to Integrated mode
- Click on your new Web site in IIS8. You should see an option titled Authentication
- Click on the option titled Authentication
- Under the Authentication options set Anonymous to Disabled
- Under the Authentication options set Windows Authentication to Enabled
- Then click Advanced Settings
- In the Extended Protection drowdown list select the Accept option
- Update your Web site’s Web.config file with:
- Authentication mode: Windows
- Disable Identity Impersonate
- Deny all unauthenticated users
- Here is an example of the Web.config markup:
<configuration> <system.web> <authentication mode="Windows" /> <identity impersonate="false" /> <authorization> <deny users="?" /> </authorization>
Overview of the Extended Protection Setting
Here is a useful article that explains the options and mechanics of the Extended Protection settings: http://support.microsoft.com/kb/973917 To sum this protection option up, Extended Protection is an extra level of security on top of Windows Authentication, that helps to prevent man in the middle attacks.
In addition, selecting the Accept option (instead of the Required option) for Extended Protection will provide down-level support for Web clients that don’t support this level of protection.
Classic vs Integrated Pipeline Mode
The addition of an Integrated Pipeline Mode for ASP.NET application pools was an important change implemented with the transition of IIS6 to IIS7. With IIS8 you can still run your applications in Classic mode.
Setting your application pool to run in Classic mode means that IIS will process ASP.NET requests first and will then hand off processing to Aspnet_isapi.dll, which does its thing and then hands its results back to IIS to serve to the user.
Conversely, Integrated mode means that IIS runs ASP.NET in a unified process, which significantly reduces the overhead of Classic mode where ASP.NET was treated as an external plugin.
The take-away message from all of this is that running your ASP.NET in Integrated application pool mode results in better performance for your applications and should be used whenever possible.
If you are interested in reading further about Classic vs. Integrated pipeline modes, then take a look at this discussion on StackOverflow.
Justin Cooney 
I tried to resolve “ASP.NET is not authorized to access the requested resource” error. I followed the instructions in this article and got the problem resolved. Thanks a lot!
Thanks for the feedback Julia, I’m glad the article was helpful.