Forms Authentication Ignoring Default Document

Question

I have spent a day and a half trying to resolve this issue. Bascially have an ASP.net website with Forms Authentication on IIS7 using Framework 4.0.

The Authorization stuff seems to be working perfectly for every scenario with the exception of hitting it with no document specifed (Should resolve to Default Doc).

For example (Please don't be harsh on site its still be developed ;) ), http://www.rewardroster.com/Default.aspx works perfectly, this page should allow anon access as specified in the web.config.

but if I hit www.rewardroster.com Directly it redirects to the login page with Return URL set to "/" or Login.aspx?ReturnUrl=%2f

Some things I have tried:

1) Set Authentication to None and then the Default document worked so thats not the issue.

2) Added DefaultDocument attribute to Web.config

3) Deleted all entries for in Default Document list in IIS except for Default.aspx

4) Added MachineKey entry in Config

5) Toggled from Integrated to Classic pipeline in IIS

Here is what's in my config:

  <authentication mode="Forms">
    <forms name="appNameAuth" loginUrl="Login.aspx" protection="All" timeout="60" slidingExpiration="true" defaultUrl="Default.aspx" path="/">
    </forms>
  </authentication>
  </authentication>

 <location path="Default.aspx">

Thanks so much for your time and hope someone knows what is going on here.

I have the same issue with donet v4, does anyone know why this has suddenly started happening when it has been fine for years in v2.0, v3 and v3.5? — bigtv, Jun 21 '11 at 07:10

score 39 · Accepted Answer · edited May 07 '12 at 15:49

39

This was my solution:

In Global.asax, method: Application_BeginRequest, place the following:

if (Request.AppRelativeCurrentExecutionFilePath == "~/")  
   HttpContext.Current.RewritePath("HomePage.aspx");

Nice and simple, and you have a chance to build logic around what home page you want to use if your website uses multiple home pages based on configuration variables.

Dmitry.Alk

edited May 07 '12 at 15:49

Bazzz

26,427
12
52
69

answered Apr 05 '11 at 08:38

Dmitry.Alk

570
5
6

4

Fine answer. But make it "~/HomePage.aspx". Cause if your app is in a subfolder ("http://server/myapp/") a request to "http://server/myapp" (without the trailing slash) will crash this code. – Alex from Jitbit Mar 11 '12 at 07:36
Didn't work for me, still get *Login.aspx?ReturnUrl=%2f* when hitting the .com – MGOwen Jun 13 '12 at 11:15
Changed it to HttpContext.Current.RewritePath("~/Default.aspx"); and it worked. – Jay Douglass Apr 09 '14 at 18:33
I prefer the solution with URL mappings: https://stackoverflow.com/a/19154854/991267 – Der_Meister Aug 15 '19 at 20:58

score 8 · Answer 2 · answered Jul 07 '11 at 13:17

8

I was seeing this same problem when attempting to hit the root path and I tried everything previously mentioned. It seems Asp.net 4.0 adds two ExtensionlessUrl modules to applicationhost.config for IIS 7. You can remove these modules by adding the following to your web.config

<system.webServer>
  <handlers>
    <remove name="ExtensionlessUrl-Integrated-4.0"/>
    <remove name=" ExtensionlessUrl-ISAPI-4.0_32bit "/>
  </handlers>
</system.webServer>

Additional Information

Microsoft KB

How extensionless urls are handled by asp net v4

answered Jul 07 '11 at 13:17

Gregory Ostermayr

1,123
10
17

But if I do need to use URLS with no extension (e.g.: WCF services) this will disable them, right? – MGOwen Jun 12 '12 at 23:31
1

Strangely it didn't work for me at first either - but then when I did it via IIS Manager (from the 'handler mappings' section), it worked, even though this appeared to just modify web.config the same way. You need to remove the 64-bit one as well if you're running on a 64-bit system. – Dylan Nicholson Oct 02 '13 at 23:00

score 4 · Answer 3 · answered Sep 30 '10 at 14:15

I had a similar problem. No styles when I wasn't logged in, www.site.nl\ redirected to the login-page (with a redirect url to a home-page) and entering www.site.nl\Home (same homepage as the redirect url mentioned before) didn't need a login.

Solution was:

Open IIS
Open IIS: Authentication
Open and edit Anonymous access
Check user (I changed the user to the app.pool user)
Give user rights on the root of the site (on the file system)

That worked out for me.

Good luck

score 4 · Answer 4 · answered Oct 18 '10 at 18:59

What I ended up doing to fix this is writing a few lines of code in my login page to check for a Request.QueryString["ReturnUrl"] of "/". If it found that, then it redirected to default.aspx.

I couldn't find ANY way to make forms authentication not intercept calls without a page specified (e.g. www.mysite.com). :( I even tried .NET 4 URL Routing and that didn't prevent Forms Authentication from hijacking the request either.

Below is the code I used in login.aspx:

protected void Page_Load(object sender, EventArgs e)
{
    if (!(IsPostBack || IsAsync))
    {
        string returnUrl = Request.QueryString["ReturnUrl"];
        if (returnUrl != null)
            if (returnUrl == "/")
                Response.Redirect("default.aspx");
    }
}

Tried a bunch of other solutions. This was the only thing that worked for me. — E Benzle, Nov 01 '17 at 21:48

score 3 · Answer 5 · answered May 26 '11 at 16:16

Johan's solution worked for me, but only if the request was for the site root.

My site is organized like this:

www.[mysite].com/login.aspx
www.[mysite].com/default.aspx
www.[mysite].com/[somestuff]/default.aspx
www.[mysite].com/[morestuff]/default.aspx

After following Johan's good advice, requests to www.[mysite].com got directed to the forms login page, and after login, the default page. However, if someone requested "/[somestuff]/", it still wouldn't work.

I got it to work by enabling anonymous authentication on the [somestuff] and [morestuff] directories, and then disabling it on the individual files within these directories. That's not a security setup I want to support, given people could either get where they are going from default.aspx or just requesting [somestuff]/default.aspx to begin with. But now I know why it is failing. It seems you need anonymous access on directories on which you wish to use default documents.

score 0 · Answer 6 · answered Jan 25 '13 at 12:05

I run into same problem and resolved this way:

in Global.asax beside Dmitry.Alk solution I added:

    if (Request.AppRelativeCurrentExecutionFilePath.ToLower() == "~/default.aspx")
        HttpContext.Current.RewritePath("Default.aspx");
    if (Request.AppRelativeCurrentExecutionFilePath.ToLower() == "~/")
        HttpContext.Current.RewritePath("Default.aspx");
    if (Request.AppRelativeCurrentExecutionFilePath.ToLower() == "~")
        HttpContext.Current.RewritePath("Default.aspx");

score 0 · Answer 7 · answered Dec 16 '10 at 20:02

I had a similar problem today. I was trying use the integrated pipeline to secure non-asp.net resources (static files, php, etc.).

I had a rule in my root web.config that had , then I was allowing access to specific resources on a case by case basis.

This worked except that requests to "/" could never be authenticated (endlessly redirecting to the login page), while requests to "/Default.aspx" were fine.

My problem was because the Asp.Net UrlAuthentication module was enabled for all resource types, and apparently this doesn't work for my scenario. Instead I had to change that module to work for managed resources only and install IIS7's non-managed url authentication. I then had to configure that (since it uses different authentication settings), and make sure that the RoleManager was enabled for non-managed resources (since I was authenticating on roles). This URL might be helpful: http://learn.iis.net/page.aspx/142/understanding-iis-70-url-authorization/

score 0 · Answer 8 · answered May 29 '22 at 18:40

0

I solved this by add read, Read & Execute, List Folder Contents permissions to IUSR user in windows server 2019 and IIS 10

answered May 29 '22 at 18:40

Ehsan Vali

344
2
9

Forms Authentication Ignoring Default Document

8 Answers8

Linked