IIS 10 - Authorization issue RRS feed

  • Question

  • Hi, I have web services built and hosted on IIS 10, Windows server 2016.

    These web services currently have open Authorization. If it goes live to Production this web service is accessible to everyone.

    So, how can I set and Deny access to only certain users to access this web service. Please advise


    • Moved by CoolDadTx Wednesday, February 19, 2020 9:19 PM ASP.NET related
    Wednesday, February 19, 2020 6:07 AM

All replies

  • So, how can I set and Deny access to only certain users to access this web service

    The Web service itself should be doing autentication and not IIS itself. 


    You can further discuss this at the below forums.




    Wednesday, February 19, 2020 7:59 AM
  • My question how I can restrict the permissions on the Web site Level on IIS.

    Editing of web.config does not work, when I deny the access of "All Users" and allow the access for admins. I tried also using IIS "Authorization Rules". This does not work also, when I change the default rule from "ALLOW to All Users" to  "DENY to All Users",  and create a new rule "ALLOW to Domain Admins". The existing authenticated users on the AD Domain can still access the site.

    As you know, there is also another rule named ".NET Authorization Rules". The default setting ist "ALLOW to All Users" (inherited). If I set this to 'DENY' still can access.

    Stuck on the security issue. Can anyone please advise any other way of having this Authorization/Security set ?


    Wednesday, February 19, 2020 6:19 PM
  • The forum addresses C# issues.  You can post to the IIS forums for help. Myself I don't look at IIS as a security solution that would slow IIS down as it blocked or allowed inbound traffic, which is the job of a standalone firewall solution.


    Wednesday, February 19, 2020 8:44 PM