A Little Bit of Apache in an IIS World

by Ziran Sun

IIS shops that have looked enviously at HTTP authentication capabilities, but have no intention of leaving the Microsoft fold, now have an option: IISPassword.

This article was originally published on 15 Seconds.

Have you ever wished you could easily set up password-protected areas of your Web site without creating system user accounts? What about moving a password-protected Web site from Apache to IIS? This article examines a free product that makes both of these tasks amazingly simple.

The product is IISPassword from a company called Troxo. IISPassword is a free download from the ISV's Web site — the full product, not just a temporary trial version — and it is also free for commercial use!


We'll leave the task of describing IISPassword to Troxo. Here's a brief description from the Web site:

IIS password protection of files and folders has always been difficult. IISPassword brings the ease and power of Apache's htaccess to Microsoft IIS. No longer is there a need for system user accounts and complex access permissions for maintaining a secure, password protected web site.

IISPassword uses Basic HTTP Authentication for password protecting web sites on IIS, just like htaccess works on Apache. That makes your password protected Apache web site compatible with IIS, and vice versa.

A powerful and intuitive interface makes it possible to password protect a web site in just moments. More advanced settings provide options such as user group management and protection of certain file types.

Download and Installation

To download the software, a user must fill out a form with his name and e-mail address. Troxo then responds with an e-mail message with a link to a download page. The setup file is just under 5 MB, and although its server wasn't lightning fast, it still downloaded fairly quickly.

Running the setup program starts a relatively standard installation process. After the greeting screen you're prompted to accept the license agreement and then asked if you want to do a typical or custom installation. The only two options in the custom are to install to a different location, and whether or not to register the ISAPI filter in the global IIS

settings, so unless you want to change the location, just run the typical version.

>> Configuration

This article was originally published on 15 Seconds.

There are two things worth noting about the installation:

  1. It restarts IIS, so if you're installing on a live Web server, be sure to do so at an opportune time when a few seconds of downtime won't be noticed.

  2. It installs a utility called LiveUpdate that you can use to check for available updates. It's a cool utility, but you'll probably want to set it to not run constantly.


Organizations that are migrating Apache sites don't need to do much in terms of configuration. Simply upload your content along with your .htpasswd and .htaccess files, and you should be good to go. The program automatically picks them up and secures the appropriate files.

For those who are not migrating an established authentication setup, IISPassword has a simple user interface. It's accessed via Internet Services Manager (ISM) (Start -> Programs -> Administrative Tools -> Internet Information Services) or simply run C:windowssystem32inetsrviis.msc (or similar depending on the location of your windows directory).

From ISM, right-click the root of your web site and select "Properties". In the resulting property page, you'll see a new "IISPassword" tab. From there, simply right-click on the folder you want to secure and select "Protect".

You'll see that the folder now has a little symbol indicating it is secured. Now, to access it you'll need a user name and password. To set one up, simply click the "Add ..." button under the list of users and enter a user name and password. You can also enter a title that will be displayed in the authentication box when it pops up. I just entered "Enter Login Info!".

That's all there is to getting it up and running. You can obviously set up a much more advanced configuration, but that's all you need to do to get started. Explaining all the available .htaccess system directives is beyond the scope of this article, but if you're looking for information about additional configuration directives, start with the help file. It's not spectacular, but it is well-written and should answer most of your questions.

For those looking to automate the process of creating user accounts, IISPassword also includes a command line tool called UserLine for creating user lines and optionally adding them to password files.

What the Users See

Now that we've secured our content, let's try and get to it. Here's what we see when we request a secured document. Notice that the "Enter Login Info!" entered earlier is here to greet us.

When we enter invalid login info, we're bounced to an error message telling us we're not allowed in.

If you have concerns about users seeing what product is being used, simply edit the HTML files in the "ErrorDoc" subfolder of the installation directory. You'll also need to restart IIS for it to pick up changes to these files. Although we're not sure how supported this is, it worked fine when tested. Just in case, you should be sure to make a backup of the originals in case you need them.

When we enter a valid user name and password we're served the requested document without any further delay.


Although IISPassword is certainly not for everyone, if you're looking for a way to secure content without setting up system-level user accounts or moving sites involving authentication from Apache to IIS and vice versa, it's certainly worth a look. It's a great little product whose price can't be beat. For more information, check out the following links.

This article was originally published on 15 Seconds.

This article was originally published on Wednesday Feb 15th 2006
Mobile Site | Full Site