I have a .Net web site with both public and private areas. The private sections are protected with .Net forms authentication. This all works fine. Site runs in IIS integrated mode.
My question is related to my QA/Test site we push changes to prior to going live. I don't want the general public or googlebot to have access to the QA site at all. Not even the portions that would ordinarily not require authentication to access.
The QA site does need to be accessible on the wild internet because we do want folks from other companies, etc. to be able to see and test changes before they go live. So my idea was to put a gatekeeper username/password in front of the entire site. Once people are past that door, they should have access to the "public" areas of the site. Accessing the member area would still require them to go through the forms auth as usual.
I tried turning off anonymous authentication and enabling basic auth, but I get an error about not being able to use 401 challenge based and redirected based auth simultaneously. Unfortunately that is exactly what I want.
I probably could write a custom HttpModule, but I'd rather just do it with standard IIS settings. Anyone have any ideas on how to solve this?
IIS 7.x doesn't support both forms auth and windows auth at the same time. Kind of odd, I know.
How about turning on forms auth for the entire site, including public areas? You could give a different login page explaining why they need to sign into everything.
Or, using URL Rewrite, you could have a list of IP addresses that are approved and only allow entry if it's from a valid IP.