How do I configure IIS to only accept requests from other servers and groups on my network?

StackOverflow https://stackoverflow.com/questions/23658754

Pregunta

I'm trying to lock down some http web services on our intranet. These are servicestack 3 services running on iis7. They are being accessed by iis7 on an external (dmz) web server via asp.net.

What I'd like is for only select people/groups and certain machines to be able to access them.

I configured IIS to use Windows Authentication, which works fine for users and groups.

The trouble I'm having is that I don't want to hardcode a user/password into our external web server's code or config files. This machine is not on the corporate domain.

Is there a way, using windows auth, to let our external server authenticate to an internal server without hard coding something?

For the asp.net service client on the external server, I'm using the following code to try and set credentials:

var client = new JsvServiceClient(Settings.Default.API);
            client.LocalHttpWebRequestFilter += (request) =>
            {
                var setting = ServiceSettings.Settings.Services["PortalAPI"];
                request.Credentials = CredentialCache.DefaultCredentials;
            };
            return client;

This seems to work if I instead use new NetworkCredentials(user,pass) and pass it a valid account. I guess I don't know what credentials are being passed with CredentialCache.DefaultCredentials or CredentialCache.DefaultNetworkCredentials, so I don't know what to put on the service's web.config to restrict access only to them.

On the service side, I tried various settings to allow access:

<authentication mode="Windows" />
<authorization>
  <allow users="NT AUTHORITY\NETWORK SERVICE"/>
  <deny users="*" />
</authorization>

<authorization>
  <allow roles="BUILTIN\Administrators"/>
  <deny users="*" />
</authorization>

Who do I need to allow to let IIS from my external server have access, but no other users unless specified? Thanks!

¿Fue útil?

Solución

I think I have what I need using the following:

<authorization>
  <allow roles="BUILTIN\\IIS_IUSRS"/>
  <deny users="*" />
</authorization>
Licenciado bajo: CC-BY-SA con atribución
No afiliado a StackOverflow
scroll top