Configure Virtual Directory on IIS Server [Guide]

A virtual directory in IIS (Internet Information Services) maps an alias in a website URL to a physical folder on disk – or even a UNC share on another server. This lets you serve content from locations outside the site’s root directory without moving files around. Virtual directories are one of the core building blocks in IIS architecture, alongside applications and sites.

Original content from computingforgeeks.com - post 34479

This guide covers creating and managing virtual directories on Windows Server 2022/2019 running IIS 10. We walk through the IIS Manager GUI method, PowerShell automation with New-WebVirtualDirectory, application pool configuration, NTFS permissions, authentication, SSL, URL Rewrite rules, and common troubleshooting. For background on IIS sites, applications, and virtual directories, check the official Microsoft documentation.

Prerequisites

Before you start, confirm the following are in place:

Windows Server 2022 or 2019 with IIS 10 installed and running. If you need to install and configure IIS Web Server on Windows Server, follow that guide first
Administrative access to the server (local Administrator or domain admin)
At least one site configured in IIS (the Default Web Site works fine for testing)
A physical folder with content you want to serve through the virtual directory
PowerShell 5.1+ (included with Windows Server 2019/2022) for the automation steps

Step 1: Create Virtual Directory via IIS Manager

The IIS Manager GUI is the quickest way to add a virtual directory when you need to set one up manually. This method works well for one-off configurations.

Open Server Manager, click Tools, then select Internet Information Services (IIS) Manager.

Open IIS Manager from Server Manager Tools menu

In the Connections pane on the left, expand your server name, then expand Sites. Right-click the site where you want the virtual directory (for example, Default Web Site) and select Add Virtual Directory.

IIS Manager showing virtual directories view

In the Add Virtual Directory dialog, fill in these fields:

Alias – the URL path segment visitors will use (e.g., reports makes the URL http://yoursite/reports)
Physical path – the actual folder on disk (e.g., D:\WebContent\Reports)

Click OK to create the virtual directory. You can also click Connect as to specify alternate credentials if the physical path is on a network share, and Test Settings to verify IIS can reach the folder.

Add Virtual Directory dialog in IIS Manager

After creation, the virtual directory appears under the site in the Connections pane. You can verify it works by placing an index.html file in the physical path and browsing to http://localhost/reports/.

Virtual directory alias and physical path configuration

Virtual directory successfully added in IIS Manager

Step 2: Create Virtual Directory via PowerShell

PowerShell is the better option when you need to automate virtual directory creation across multiple servers or include it in deployment scripts. The New-WebVirtualDirectory cmdlet from the WebAdministration module handles this.

First, make sure the IIS PowerShell module is loaded:

Import-Module WebAdministration

Create the physical directory if it does not exist yet:

New-Item -Path "D:\WebContent\API" -ItemType Directory -Force

Now create the virtual directory under the Default Web Site with the alias api:

New-WebVirtualDirectory -Site "Default Web Site" -Name "api" -PhysicalPath "D:\WebContent\API"

Verify the virtual directory was created by listing all virtual directories on the site:

Get-WebVirtualDirectory -Site "Default Web Site"

The output shows the virtual directory name and physical path, confirming it was created:

Name     Physical Path
----     -------------
api      D:\WebContent\API

To create a virtual directory under a specific application (not the site root), use the -Application parameter:

New-WebVirtualDirectory -Site "Default Web Site" -Application "myapp" -Name "static" -PhysicalPath "D:\WebContent\Static"

To remove a virtual directory via PowerShell:

Remove-WebVirtualDirectory -Site "Default Web Site" -Name "api"

Step 3: Configure Application Pool for Virtual Directory

By default, a virtual directory inherits the application pool of its parent site. If your virtual directory serves a different application type (for example, a .NET 4.8 app under a .NET 6 site), you need to convert it to an application with its own pool.

To convert a virtual directory to an application with a dedicated pool via IIS Manager, right-click the virtual directory in the Connections pane and select Convert to Application. In the dialog, click Select to choose an existing application pool or create a new one.

To do the same in PowerShell, first create a dedicated application pool:

New-WebAppPool -Name "APIPool"
Set-ItemProperty "IIS:\AppPools\APIPool" -Name "managedRuntimeVersion" -Value "v4.0"
Set-ItemProperty "IIS:\AppPools\APIPool" -Name "managedPipelineMode" -Value "Integrated"

Then convert the virtual directory to an application assigned to that pool:

ConvertTo-WebApplication -PSPath "IIS:\Sites\Default Web Site\api" -ApplicationPool "APIPool"

Verify the application pool assignment:

Get-WebApplication -Site "Default Web Site" -Name "api" | Select-Object ApplicationPool, PhysicalPath

The output confirms the application pool is set correctly:

ApplicationPool    PhysicalPath
---------------    ------------
APIPool            D:\WebContent\API

Step 4: Set Permissions for IIS Virtual Directory

IIS needs both NTFS file system permissions and IIS-level permissions to serve content from a virtual directory. Missing permissions are the number one cause of 403 Forbidden errors.

NTFS Permissions

The IIS worker process runs under the application pool identity – by default IIS AppPool\DefaultAppPool (or IIS AppPool\APIPool if you created a custom pool). Grant this identity Read and Execute access to the physical directory.

Set NTFS permissions using PowerShell:

$path = "D:\WebContent\API"
$acl = Get-Acl $path
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("IIS AppPool\DefaultAppPool", "ReadAndExecute", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl.SetAccessRule($rule)
Set-Acl $path $acl

If the virtual directory needs write access (for file uploads or logging), add Modify permission instead:

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("IIS AppPool\DefaultAppPool", "Modify", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl.SetAccessRule($rule)
Set-Acl $path $acl

Verify the permissions were applied:

Get-Acl "D:\WebContent\API" | Format-List

IIS-Level Permissions

In IIS Manager, you can also control access at the virtual directory level. Select your virtual directory, then double-click Authorization Rules in the Features View. By default, all users are allowed. You can remove the default rule and add specific users or roles.

To set authorization rules via PowerShell, use the Add-WebConfigurationProperty cmdlet:

Add-WebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site\api" -Filter "system.webServer/security/authorization" -Name "." -Value @{accessType="Allow"; users="*"}

Step 5: Virtual Directory vs Application vs Site

IIS has three levels of content organization. Understanding the differences helps you pick the right one for your use case.

Feature	Virtual Directory	Application	Site
Own application pool	No – inherits from parent	Yes – can have dedicated pool	Yes – always has its own pool
Own web.config	Limited – inherits parent config	Yes – full independent config	Yes – full independent config
Process isolation	No – shares parent worker process	Yes – if different pool assigned	Yes – separate worker process
Hostname binding	No – uses parent site hostname	No – uses parent site hostname	Yes – own hostname and port
URL structure	http://site/alias/	http://site/appname/	http://hostname/
Best for	Static content, shared config	Sub-applications needing isolation	Separate websites

Use a virtual directory when you just need to map an alias to a physical folder and the content shares the parent site’s configuration. Convert to an application when you need a separate web.config, different .NET runtime version, or process isolation. Create a separate site when you need a distinct hostname or port binding. You can learn more about configuring the default site in IIS Server in our dedicated guide.

Step 6: Configure SSL for Virtual Directory

A virtual directory inherits the SSL settings of its parent site. If the parent site has an SSL binding, the virtual directory is automatically accessible over HTTPS. However, you can enforce SSL-only access on a per-directory basis.

To require SSL on a virtual directory through IIS Manager, select the virtual directory, double-click SSL Settings in the Features View, check Require SSL, and click Apply.

To enforce SSL via PowerShell:

Set-WebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site\api" -Filter "system.webServer/security/access" -Name "sslFlags" -Value "Ssl"

If you also want to require client certificates:

Set-WebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site\api" -Filter "system.webServer/security/access" -Name "sslFlags" -Value "Ssl,SslRequireCert"

Verify the SSL settings are active:

Get-WebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site\api" -Filter "system.webServer/security/access" -Name "sslFlags"

The output should return Ssl (or Ssl,SslRequireCert if client certs are required). If you need to install an SSL certificate on IIS, follow that guide to set up the binding on the parent site first.

Step 7: Configure Authentication Settings

Virtual directories inherit authentication settings from the parent site, but you can override them per directory. This is useful when part of your site is public and the virtual directory needs restricted access.

To check current authentication settings on a virtual directory:

Get-WebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site\api" -Filter "system.webServer/security/authentication/anonymousAuthentication" -Name "enabled"

To disable anonymous authentication and enable Windows authentication:

Set-WebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site\api" -Filter "system.webServer/security/authentication/anonymousAuthentication" -Name "enabled" -Value $false
Set-WebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site\api" -Filter "system.webServer/security/authentication/windowsAuthentication" -Name "enabled" -Value $true

For Basic authentication (typically used with SSL), enable it with:

Set-WebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site\api" -Filter "system.webServer/security/authentication/basicAuthentication" -Name "enabled" -Value $true

Basic authentication transmits credentials in Base64 (not encrypted), so always pair it with SSL. Windows authentication using Kerberos or NTLM is the preferred method for intranet scenarios where clients are domain-joined.

In IIS Manager, you can manage these same settings by selecting the virtual directory and double-clicking Authentication in Features View. Right-click each authentication method to enable or disable it.

Step 8: Configure URL Rewrite Rules

URL Rewrite rules let you redirect or transform requests hitting your virtual directory. This requires the IIS URL Rewrite module installed separately from the IIS base install. Download it from the Microsoft IIS site if not already installed.

A common use case is redirecting HTTP to HTTPS for the virtual directory. Create a web.config file in the virtual directory’s physical path:

notepad D:\WebContent\API\web.config

Add the following URL Rewrite rule to redirect all HTTP traffic to HTTPS:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
    <rewrite>
      <rules>
        <rule name="HTTP to HTTPS" stopProcessing="true">
          <match url="(.*)" />
          <conditions>
            <add input="{HTTPS}" pattern="^OFF$" />
          </conditions>
          <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
        </rule>
      </rules>
    </rewrite>
  </system.webServer>
</configuration>

To add a rewrite rule via PowerShell instead of editing web.config manually:

Add-WebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site\api" -Filter "system.webServer/rewrite/rules" -Name "." -Value @{
    name = "HTTP to HTTPS"
    stopProcessing = "true"
}
Set-WebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site\api" -Filter "system.webServer/rewrite/rules/rule[@name='HTTP to HTTPS']/match" -Name "url" -Value "(.*)"
Add-WebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site\api" -Filter "system.webServer/rewrite/rules/rule[@name='HTTP to HTTPS']/conditions" -Name "." -Value @{
    input = "{HTTPS}"
    pattern = "^OFF$"
}
Set-WebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site\api" -Filter "system.webServer/rewrite/rules/rule[@name='HTTP to HTTPS']/action" -Name "type" -Value "Redirect"
Set-WebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site\api" -Filter "system.webServer/rewrite/rules/rule[@name='HTTP to HTTPS']/action" -Name "url" -Value "https://{HTTP_HOST}/{R:1}"
Set-WebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site\api" -Filter "system.webServer/rewrite/rules/rule[@name='HTTP to HTTPS']/action" -Name "redirectType" -Value "Permanent"

Step 9: Troubleshoot Common Virtual Directory Errors

When a virtual directory does not work as expected, the issue usually falls into one of three categories: permission errors, configuration problems, or path issues. Here are the most common errors and their fixes.

HTTP 403 – Forbidden

This means IIS can reach the folder but is not allowed to serve its contents. Check these in order:

NTFS permissions – the app pool identity needs Read and Execute access. Verify with Get-Acl "D:\WebContent\API"
Directory browsing disabled – if there is no default document and directory browsing is off, IIS returns 403. Either add an index.html or enable directory browsing for that virtual directory
IP restrictions – check if IP Address and Domain Restrictions are blocking your client
SSL required but accessing via HTTP – if you set Require SSL, plain HTTP requests get 403

HTTP 404 – Not Found

The virtual directory alias does not resolve or the content is missing:

Wrong alias spelling – the URL path must match the alias exactly (case-insensitive on Windows)
Physical path does not exist – verify the folder exists at the configured path
No default document – check Default Document settings. IIS looks for default.htm, default.asp, index.htm, index.html, and iisstart.htm by default
Virtual directory under wrong site – confirm the virtual directory is attached to the site you are browsing

HTTP 500 – Internal Server Error

A server-side error usually caused by configuration issues:

Malformed web.config – check the web.config file in the virtual directory for XML syntax errors
Wrong .NET version – the application pool is set to a .NET version that does not match the application
Missing modules – URL Rewrite rules fail with 500 if the URL Rewrite module is not installed

For detailed error information, enable Failed Request Tracing on the virtual directory. In IIS Manager, select your site, click Failed Request Tracing Rules, and add a rule for the status codes you want to capture. The trace logs go to %SystemDrive%\inetpub\logs\FailedReqLogFiles\ by default.

You can also check the Windows Event Log for IIS errors:

Get-EventLog -LogName Application -Source "IIS*" -Newest 20

Conclusion

Virtual directories in IIS give you a clean way to map URL paths to physical folders outside the site root without restructuring your file system. We covered creating them through both IIS Manager and PowerShell, setting up dedicated application pools, configuring NTFS and IIS permissions, SSL enforcement, authentication, URL Rewrite rules, and troubleshooting the most common errors.

For production deployments, always enforce SSL on virtual directories that serve sensitive content, use dedicated application pools for isolation, and apply the principle of least privilege on NTFS permissions. Monitor IIS logs and Failed Request Tracing to catch issues early.