0
Answered

Restrict access to IIS

Matthew Woolnough 7 years ago in UNIFYBroker/Microsoft Identity Manager updated by anonymous 7 years ago 4

I have configured IdB to use IIS, but there is nothing in the doco to suggest that it should be restricted. 

http://voice.unifysolutions.net/topics/2943-configuring-identity-broker-for-use-with-iis/

Leaving access open to any authenticated user is potentially a security risk.  

I have configured IIS to only listed on 127.0.0.1, but presumably there is something else in IdB to perform this role. 

How can IdB be restricted when using IIS?

Answer

Answer
Answered

Hi Matt,

We removed the IDB auth settings from 5.0 as it was unmaintanable. From 5.2 onwards, we provide auth settings through Owin (as seen on this page.)

For 5.0 and 5.1, auth settings can be restricted in IIS through groups etc, using examples such as this one or settings found here. Up to the consultant and client how the restrictions look in line with what the requirements are.

GOOD, I'M SATISFIED
Satisfaction mark by Matthew Woolnough 7 years ago
Answer
Answered

Hi Matt,

We removed the IDB auth settings from 5.0 as it was unmaintanable. From 5.2 onwards, we provide auth settings through Owin (as seen on this page.)

For 5.0 and 5.1, auth settings can be restricted in IIS through groups etc, using examples such as this one or settings found here. Up to the consultant and client how the restrictions look in line with what the requirements are.

Using the example from your link, to secure IdB, what should the value of location path be?


<configuration>
  <location path="MyPage.aspx/php/html">
      <system.web>
         <authorization>
            <allow users="DOMAIN\Domain Admins"/>
            <deny users="DOMAIN\Domain Users"/>
         </authorization>
      </system.web>
   </location>
</configuration>

Hi Matt,

This link ( https://docs.microsoft.com/en-us/iis/manage/configuring-security/understanding-iis-url-authorization ) provides some outline on how you can limit authentication to a single file or a whole directory. It's my understanding that if you configure the web.config in the site root, you may not need to include a 'path' key and the auth will apply to the whole directory. 

The above link also provides instructions on using the IIS UI to configure authentication instead of modifying config files.

This approach required the installation of an additional feature:

Install-WindowsFeature Web-Url-Auth