1

I have an MVC3 web application hosted in IIS 7.5 on Windows Server 2008 R2. The site is behind Windows Authentication; a logon prompt is shown when visiting the site. There is then a second level login using Forms Authentication. (The point is to hide the site from the public, etc..)

If I go to the site, pass the Windows Authentication login prompt, and then view the login page (Forms Authentication), some resource may or may not load. For instance, a CSS file or JavaScript file may not load. If I hit refresh (sometimes it takes a couple of times), the missing file is loaded okay. If I keep hitting refresh I can reproduce this error over and over. Sometimes all resources are loaded, other times they are not.

  • If I remove the Windows Authentication portion, the problem goes away - the site loads perfect every time.
  • I don't think it could be a permissions issue since the resources are sometimes loaded properly.
  • It doesn't seem to be a caching issue because it happens before and after emptying my browser cache.
  • It's not a browser-specific issue because I've reproduced it in IE and Chrome.

Edit 1: When I view the resource which is apparently missing, in Chrome, I see that instead of the CSS or JavaScript content I expected, the login page is returned.

Edit 2: I've enabled anonymous access to the Css, Images and JavaScript folders which, of course, fixes the problem. I'd still like to know why the content sometimes came through and sometimes didn't.

Edit 3: Web.config is below. Please note, I am securing certain actions by adding [Authorize] to the controller or action. Everything else should be "open."

<?xml version="1.0"?>

<configuration>
    <configSections>
        <section name="log4net" type="log4net.Config.Log4NetConfigurationSectionHandler, log4net"/>
    </configSections>

    <appSettings ... />

    <connectionStrings ... />

    <system.net>
        <mailSettings>
            <smtp ... />
        </mailSettings>
    </system.net>

    <system.web>
        <customErrors mode="Off"/>

        <compilation debug="true" targetFramework="4.0">
            <assemblies>
                <add assembly="System.Web.Abstractions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
                <add assembly="System.Web.Helpers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
                <add assembly="System.Web.Routing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
                <add assembly="System.Web.Mvc, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
                <add assembly="System.Web.WebPages, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
                <add assembly="System.Data.Linq, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
            </assemblies>
        </compilation>

        <authentication mode="Forms">
            <forms loginUrl="~/Account/Login" timeout="2880"/>
        </authentication>
    </system.web>

    <system.webServer>
        <defaultDocument enabled="true">
            <files>
                <clear />
                <add value="Index"/>
            </files>
        </defaultDocument>

        <validation validateIntegratedModeConfiguration="true"/>
        <modules runAllManagedModulesForAllRequests="true"/>
    </system.webServer>

    <runtime>
        <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
            <dependentAssembly>
                <assemblyIdentity name="System.Web.Mvc" publicKeyToken="31bf3856ad364e35" />
                <bindingRedirect oldVersion="1.0.0.0-2.0.0.0" newVersion="3.0.0.0" />
            </dependentAssembly>
        </assemblyBinding>
    </runtime>

    <log4net xsi:noNamespaceSchemaLocation="http://csharptest.net/downloads/schema/log4net.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <appender name="FileAppender" type="log4net.Appender.RollingFileAppender">
            <file value="..\Logs\Web.txt"/>
            <appendToFile value="true"/>
            <rollingStyle value="Size"/>
            <maxSizeRollBackups value="10"/>
            <maximumFileSize value="10MB"/>
            <layout type="log4net.Layout.SimpleLayout"/>
        </appender>

        <root>
            <level value="ALL"/>
            <appender-ref ref="FileAppender"/>
        </root>
    </log4net>
</configuration>
Josh M.
  • 26,437
  • 24
  • 119
  • 200
  • Have you checked what response you do get back from the server? E.g. using Fiddler or Firebug to see what HTTP status code you get on these requests. – Marco Miltenburg Nov 11 '11 at 08:00
  • Yes, added to **Edit**, above. – Josh M. Nov 11 '11 at 14:12
  • In you see that the login page is returned instead of the static resources this means that you are past the first barrier, the Windows Authentication portion. So it seems like your ASP.NET MVC application itself is protecting access to these resources by redirecting the user to the login page. However, this would not explain why it works if you disable the Windows Authentication part. Would really need to see the actual requests and responses in Fiddler to diagnose it any further. – Marco Miltenburg Nov 11 '11 at 15:55
  • When the resource is not sent back properly, the response header includes a `Location` parameter which points to the login page. So a redirect is happening in IIS somehow. – Josh M. Nov 11 '11 at 19:07
  • Can you post your web.config file? – Marco Miltenburg Nov 12 '11 at 09:09
  • Sure, not much in there other than the standard but will do. – Josh M. Nov 12 '11 at 16:16

1 Answers1

0

Since it sometimes worked, could it be that it worked when you were authenticated? When a request fails verify that you are authenticated, so at least you can rule it out

santiagoIT
  • 9,411
  • 6
  • 46
  • 57
  • Nope. If I login (Windows Auth), the next page may or may not be displayed correctly. Refreshing from this point on produces correctly downloaded/displayed pages as well as incorrectly downloaded/displayed pages - it seems random whether or not all resources were able to be downloaded. – Josh M. Nov 11 '11 at 19:07