2

I've recently migrated a web app from .Net 3.5 to .Net 4 and changed the app pool to Integrated mode in IIS 7.5. This app has 2 parts: the first is open to the public and the second is by login only. I use forms authentication for login which is configued thusly in the root web.config:

<authentication mode="Forms">
  <forms loginUrl="~/private/login.aspx" protection="All" timeout="20" name=".ASPXAUTH" path="/" requireSSL="false" slidingExpiration="true" defaultUrl="~/private/default.aspx" cookieless="UseCookies" enableCrossAppRedirects="true" />
</authentication>

In the root web.config I have the default authorization to to deny unauthenticated users, thusly:

<authorization>
  <deny users="?" />
</authorization>

BUT I have the setting below configured in the root web.config to allow everyone to see the welcome page:

<location path="Default.aspx">
<system.web>
  <authorization>
    <allow users="?,*" />
  </authorization>
</system.web>

This has been working great for years but now, if I don't explicily put Default.aspx in the URL, the forms redirect module causes the login page to be served. I've verified that I have my default pages configured correctly and they are enabled in IIS7. I have also tried specifying them in web.config. I have verified that the DefaultDocumentModule is sequenced before the DirectoryListing module.

If I remove the element the problems "goes away" but the effect would be to default to allow all users and this is completely undesireable.

I'm out of ideas. Suggestions?

Thanks

I

paulv7260
  • 993
  • 1
  • 7
  • 7

2 Answers2

0

Seems like some kind of default doc issue. If you look in IIS Manager at the site, what is in the "Default Document" list. Is it possible that something other than Default.aspx is higher in the list? If something matching this is found in your root web, it will attempt to go there first and thus be redirected to login.

Are you explicitly setting the default document in your web.config? as in:

<defaultDocument enabled="true">
        <files>
            <clear />
            <add value="Default.aspx" />
            <add value="Default.htm" />
            <add value="index.htm" />
            <add value="index.html" />
            <add value="iisstart.htm" />
        </files>
    </defaultDocument>
swannee
  • 3,346
  • 2
  • 24
  • 40
  • Default.aspx is at the top of the list in the root web site. My site inherits from that. I've also tried this: – paulv7260 Feb 24 '12 at 16:29
0

OK, I had a Microsoft Premier Support Engineer dig into this for me. We sat down together at my workstation and went through (a) the environment and app configuration and (b) possible solutions.

He referenced this MS "Fast Publish" article which suggests that I remove the ExtensionLessURL handlers from IIS via MMC. Well, we're a huge organization with servers out the wazoo and I could not guarantee that this change would always be honored so I didn't want to do that. We tried using web.config to remove them but that did not work.

So, I showed him this solution from another StackOverflow thread (posted by Dmitry.Alk) and he said it was a good work-around for now. It works great for this particular situation.

The Fast Publish article references this hotfix A update is available that enables certain IIS 7.0 or IIS 7.5 handlers to handle requests whose URLs do not end with a period which I've got to sell to our IT "department".

I don't call what I've written here an "answer" but I wanted to share what I've come to learn in case others happen upon this thread.

Community
  • 1
  • 1
paulv7260
  • 993
  • 1
  • 7
  • 7
  • I prefer the solution with URL mappings: https://stackoverflow.com/a/19154854/991267 Does not require code changes. – Der_Meister Aug 15 '19 at 20:59