IIS7.5 and MVC 2 : Implementing HTTP(S) security

This is my first ASP.NET MVC application, and my first on an IIS 7.x installation whereby I have to do anything over and above the standard.

I need to enforce Windows authentication on the /Index and /feeds/xxx.svc pages/services. In ASP.NET Web Forms, I would apply the Windows permissions on the files and remove Anonymous authentication in IIS 6. This needs to work over HTTP/S, but don't worry about that, that's in hand.

What happens in MVC/IIS 7?

I have tried modifying the permissions on the /Index.aspx view, w开发者_运维百科hich seems to block access. It asks me for a username/password, but does not grant access when I enter a valid username/password. Pressing Escape gives me an exception "**Access to the path 'E:\dev\xxx\xxx.ConsultantRegistration.Web.Admin\Views\ConsultantRegistration\index.aspx' is denied. **", which does get sent as a 401.

So although the username/password does exist on the Index.aspx view, I can't use those credentials to access said view.

I have in my web.config:

What am I missing?

Don't set file permissions. Instead enable the WindowsAuthentication provider in your website in IIS, and add the [Authorize] attribute on the controller action. You can further filter the users that have access to these pages like this:

[RequireHttps, Authorize(Users="MyUser")]
public ActionResult Index()
{
    return View();
}