HTTP Basic Authentication against Non-Windows Accounts in IIS7

The last posts (here, here, here and here) show how to build an HTTP Basic Authentication module using a membership provider (and including WCF support). Moving this code to IIS7 is technically not very difficult – but the mindset changes. In IIS6 a HTTP module is used to extend the managed ASP.NET pipeline. In IIS7 you are now building extensibility code for the web server itself. This has some implications:

  • The HTTP module is not registered in <system.web /> anymore. Since you extend IIS7, the module gets registered in <system.webServer /> now.
  • Same applies to the <customBasicAuthentication /> configuration section for the module itself.
  • The module now has easy access to the IIS security configuration and can behave diffently based on that
  • A proper IIS7 feature should also have a corresponding UI in the IIS Manager – including support for remote administration

I have already written a walkthrough on how to build IIS7 modules (here, here, here, here, here, here and here). I recommend reading them, since most of the code and structure is boilerplate.

The only real difference between the ServerHeader sample and the Basic Authentication UI integration is, that the authentication UI can register in the IIS7 Manager under the Authentication category:

From there you can open the custom Basic Authentication UI which controls the configuration settings in web.config for the currently selected application. Everything falls into place.

To register as a new authentication method you need to derive from a class called AuthenticationFeature. In this class you do some basic state management and are responsible for loading and showing the configurationUI. After that you register the feature in the Module derived class and call RegisterExtension on the extensibility manager.

// the module registers the custom UI with InetMgr
public class CustomBasicAuthenticationModule : Module
    protected override void Initialize(IServiceProvider serviceProvider, ModuleInfo moduleInfo)
        base.Initialize(serviceProvider, moduleInfo);

        // add our module to the authentication section in the GUI
        IExtensibilityManager manager =

        if (manager != null)
                new CustomBasicAuthenticationFeature(this));


Download the full source here.


This entry was posted in ASP.NET, WCF. Bookmark the permalink.

3 Responses to HTTP Basic Authentication against Non-Windows Accounts in IIS7

  1. bernardjclark says:

    This looks like exactly what I need. Unfortunately all your URLs are broken. Coming from the codeplex site doesn’t work at all.

    Any chance you could update the link to the source? I’d really appreciate it

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s