iis security: Any idea how to let IIS check the IP Address list first, and if access is
denied, the user is prompted with a username and password? If the visitor's
IP Address is included in the allowed list, then the visitor is granted
access to the site. But if the IP Address is not in the list, then a basic
clear/text authentication is presented to the user.

Hey ~

I may be missing something, but your question doesn't make sense to me... If
a IP address, or subnet\fqdn, is denied - IIS sends a 403.x (unsure of the
status). IIS isn't prompting, this is IE's behavior. IE attempts 3 times
and receives the failure.

Authentication\Authorization doesn't take place if the IP address is
disallowed because IIS reads the header and sends the deny with the status
code and IIS is done...

Can you clarify what you want or desire for IIS to do?

Thanks,

--
~Chris (MSFT)
IIS Supportability Lead

Provided As-Is.
[quoted text, click to view]

Nope. IIS always check IP first, if it failed,
it will returns 403.6 response. and the process
end there.

You may want to write your own filters to do this.

--
Regards,
Bernard Cheah
http://support.microsoft.com/
Please respond to newsgroups only ...


[quoted text, click to view]