IIS Basic Authorization ala .htaccess/.htpasswd in apache

How do I implement the protection of the pages (asp.net mvc app), so when I hit the home page or any other pages within the application I get a login dialog popup in the browser

I'm looking for something similar to what Apache .htaccess and .htpasswd is doing.

I have IIS 7.5/Windows Server 2008 R2 Web edition.

Solution 1:

First of all you need to enable Basic Authentication. You can find this setting in the Authentication feature for the site in IIS Manager:

Double click on the icon then right click on Basic Authentication and select Enable:

You can also configure this directly in your web.config file (your application doesn't even have to be an ASP.NET application):

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <security>
            <authentication>
                <basicAuthentication enabled="true" />
            </authentication>
        </security>
    </system.webServer>
<configuration>

This will only work in the web.config provided that this feature has been delegated as Read/Write.

Out of the box you would need to create a separate Windows 2008 account for each login.

If you wanted to use a custom store (SQL Server, Membership Service) then you'd need to write your own Basic Authentication module:

Developing a Module Using .NET

Solution 2:

In the IIS Manager in Sites->Yoursite->Authentication you can disable "Anonymous Authentication" and enable "Basic Authentication" or any HTTP 401 Challenge that's appropriate for your website.