Questions
Restrict access to IIS
I have configured IdB to use IIS, but there is nothing in the doco to suggest that it should be restricted.
http://voice.unifysolutions.net/topics/2943-configuring-identity-broker-for-use-with-iis/
Leaving access open to any authenticated user is potentially a security risk.
I have configured IIS to only listed on 127.0.0.1, but presumably there is something else in IdB to perform this role.
How can IdB be restricted when using IIS?
Answer
Hi Matt,
We removed the IDB auth settings from 5.0 as it was unmaintanable. From 5.2 onwards, we provide auth settings through Owin (as seen on this page.)
For 5.0 and 5.1, auth settings can be restricted in IIS through groups etc, using examples such as this one or settings found here. Up to the consultant and client how the restrictions look in line with what the requirements are.
Using the example from your link, to secure IdB, what should the value of location path be?
<configuration>
<location path="MyPage.aspx/php/html">
<system.web>
<authorization>
<allow users="DOMAIN\Domain Admins"/>
<deny users="DOMAIN\Domain Users"/>
</authorization>
</system.web>
</location>
</configuration>
Hi Matt,
This link ( https://docs.microsoft.com/en-us/iis/manage/configuring-security/understanding-iis-url-authorization ) provides some outline on how you can limit authentication to a single file or a whole directory. It's my understanding that if you configure the web.config in the site root, you may not need to include a 'path' key and the auth will apply to the whole directory.
The above link also provides instructions on using the IIS UI to configure authentication instead of modifying config files.
This approach required the installation of an additional feature:
Install-WindowsFeature Web-Url-Auth
Customer support service by UserEcho
Hi Matt,
We removed the IDB auth settings from 5.0 as it was unmaintanable. From 5.2 onwards, we provide auth settings through Owin (as seen on this page.)
For 5.0 and 5.1, auth settings can be restricted in IIS through groups etc, using examples such as this one or settings found here. Up to the consultant and client how the restrictions look in line with what the requirements are.