How do I force the use of Windows authentication on only part of a web site?

I am building a site using ASP.NET MVC 2. The site itself needs to be public but the admin section should require a windows login and the user logging in needs to have local admin privileges on the server.

i.e. http://server/site should be open, but http://se开发者_开发问答rver/site/admin should force an admin login before proceeding.

Can this be done in code or by tweaking the web.config file? If necessary, making configuration changes to IIS is acceptable but I am trying to keep deployment steps down to a minimum.

I don't know if you can do this in web.config, or even if it's possible via IIS in an MVC application (since /site/admin won't exist on the file system), but it is possible to have different permissions for different folders under IIS. You will need to use the IIS manager to configure this.

You may also be able to use an AuthorizeAttribute on your admin controller.

This turned out to be fairly straightforward:

1. Enable Windows Authentication in IIS.
2. Enable Windows Authentication in web.config.
3. Decorate each action that needs to be secure with [Authorize(Roles = "Admin")].