How do I secure a .NET (MVC) website prior to launch?

I have a .NET (MVC2) website that is in development. I have deployed it to some production infrastructure, and tested it over the internet with anonymous access (as it will be once it is live) and it works fine. Between now and the go-live date I would like to restrict access to a small test group.

However, when I turn off anonymous access (I'm using IIS 7 on Windows 2008 R2 64-bit) and enable Basic Authentication, two things go wrong: first, it interferes with the site authentication, and redirects to the configured site login page, and second, for some reason the stylesheets stop 'working'. i.e. the site appears as if it has no stylesheets, even though they are being downloaded correctly (as viewed in Fiddler / Firebug.)

What I want is to secure access to the server - I don't want to use Basic Authentication as the authentication mechanism for the MVC website - that is handled by standard forms authentication. I simply want to stop people snooping the site before it goes live.

I've had this before, and always struggled with the lack of an easy / obvious "protect this server with a password" functionality.

There must be a simple answer. (I'm thinking of a functional equivalent to a .htaccess file, but for IIS)?

[UPDATE] Following on from my near-miss (see answer below), what I want is Windows authentication to control access to the site, and ASP.NET authentication to control a user's interaction with the website (their identity, whether the appear logged in / out, etc.)


Solution 1:

You may be able to do what you want by setting IP Address and Domain Restrictions for the site. It is an option in IIS Manager.