IIS 7: Disable authentication for certain client IPs

authentication iis-7 ip-address windows-server-2008-r2 iis

I have a virtual directory that's protected with basic authentication. I'd like to disable authentication for certain IPs, so that all requests from e.g. 127.0.0.1 are allowed without asking for credentials. How can I do this?


I was unable to find a built-in way to make this happen. I ended up writing an IIS module using the instructions by Microsoft.

The module checks the client's IP address (using HttpRequest.UserHostAddress), and if it is not on the exempt list, re-implements the standard basic authentication for Windows accounts (using the LogonUser API and setting HttpContext.User to a WindowsPrincipal). The authentication domain and list of exempt IP addresses are read from web.config (using ConfigurationManager.AppSettings).

Stumbling blocks included:

  • I wanted to exempt the server itself, so I added 127.0.0.1 and the server's IP address to the exempt list, but also had to add ::1 (IPv6 localhost).
  • I'm using this to protect access to hgweb, and for some reason I had to change the entries in hgrc's allow_push line from username to DOMAIN\username after enabling the plugin.

Related

apache spawning too many processes despite maxclient and other constraints
Optimizing MySQL for small VPS
File ACL mask calculation: why?
Amazon EC2 Instance Type Upgrade
phpldapadmin installation
psexec Couldn't access \\IP/computername The system cannot find the path specified
Tunnel with least overhead
using wget through .pac config based proxy server
Tools for Optimizing Posgresql Performance [closed]
Connecting tomcat6 to apache2
Problems setting up a VPN: can connect but can't ping anyone
Apache 2 UserDir for only one VirtualHost