Authorization doesn't work with Windows Authentication in IIS

Question

I tried to do something in IIS which I though is very simple, but I am unable to make it work.

I created a web page with simple html+js page and web api backend. (It means I have one single plain old html page with one single JavaScript file and it uses AJAX call back to the same server to get data from backend. The backend is written in C# with .NET Framework 4.7 and current version of ASP.NET. It is not MVC, it is not .NET Core, it is not ASP.NET Core.)

Now I want to allow this web page only for some users on local network and I expect this can be somehow configured in web.config file. The IIS is running on a computer in a domain, so I set up the web application in its web.config to use Windows authentication and provided the list of allowed users in authorization section (the user accounts are in the same domain as the web server). I though this would prevent other users to access the web, but apparently all authenticated users can display it. So it seems that Windows authentication works correctly, but there is no authorization check performed and all users are allowed. Can this be done easily in web.config in this kind of html+js+webapi scenario?

Currently, the related section in web.config looks like this:

  <system.web>
    <compilation targetFramework="4.7.2" />
    <httpRuntime targetFramework="4.7.2" />
    <authentication mode="Windows" />
    <authorization>
      <deny users="?" />
      <allow users="alloweduser1,alloweduser2" />
    </authorization>
  </system.web>

Answer 1

Try :

<system.web>
    <compilation targetFramework="4.7.2" />
    <httpRuntime targetFramework="4.7.2" />
    <authorization>
      <allow users="domain\alloweduser1,domain\alloweduser2" />
      <deny users="*" />
    </authorization>
  </system.web>