I've been tasked with enabling Windows Authen to the current project I'm working on which "back in the old days" of IIS6 was uber easy -- tell it to use windows for the authentication, set your allow/deny groups, done, move along.  With IIS7 you get this really nasty rude surprise...

Woah, ok, fine cousin Vinnie I'll just ...um, go over here for a while.  Jesh.

So I go bouncing around the net and I keep seeing posts about going into vista and enabling various stuff for IIS ...I go take a look and well well well, what do we have here?  Windows Authen, thank you very much ...along with all the other useful stuff.

Ooook, now let me guess, you have to go turn it on (yep!) so into the Inetmgr.msc, click on authentication, and no surprise...

Right click, enable, annnnddd back to the page.  But how do you know its working?  Here's a test I came up with on the fly to verify the stuff is doing its thing.  Just as a note, you have windows authen enabled and anonymous enabled for the following tests.

Go into your root page, whatever that may be (default.aspx?) and drop in a LoginName control onto the page (look under Login in your toolbox), drop it on the page somewhere obvious, the top works great.  Dump this into your web.config somewhere under <system.web>, you've probably seen this before...

<authentication mode="Windows"/>
<authorization>
     <deny users="?"/>
</authorization>

so you've seen this, the ? disables all anonymous users.  Load your page up and you'll see <domainName>\<userName> on the screen (assuming you are on a domain).  Great, it works, now change <deny users="?"/>  to <deny users="*"/> (This'll disable ALL users) -- You'll get a prompt (!) and a nasty 401.2 error when you click cancel.  Switch back to the ? and go back into inetmgr and disable windows authen.  Refresh the page and you'll get the same 401.2 error.

I almost forgot, if you take away the <deny users="?"/> you'll see NO username at the top (its anonymous after all!)