Users may be redirected to the login page of an ASP.NET 4 application after installing Windows 7 Service Pack 1

Applies to: Windows 7 Service Pack 1

Symptoms


Consider the following scenario. You have a Microsoft Windows 7 server running Microsoft Internet Information Services (IIS) and the .NET Framework 4.0. The IIS web application is configured to use Forms Authentication, allows anonymous users access to the application's home page, and the application relies on the IIS Default Document feature to map requests from "/" to default.aspx. After installing Windows 7 Service Pack 1, users may be redirected to the Forms Authentication login page for the application when attempting to access the application's home page.



Cause


Microsoft has confirmed that this is a problem in the products listed in the applies-to section.

The Extensionless URL feature introduced in Windows 7 Service Pack 1 interferes with the way ASP.NET parses URLs that would normally be handled by the Default Document setting. This leads to anonymous access failing for certain URLs, causing the user to be redirected to the Forms Authentication login page to reauthenticate.


Resolution


To work around this problem, developers can disable the Extensionless URL processing in their application by adding the following configuration elements to the application's web.config file - IMPORTANT: This configuration sample is illustrated for example purposes only and is not meant to be copy and pasted into your configuration file.  Always backup your configuration files before making any changes.



<system.webServer>

<handlers>
<remove name="ExtensionlessUrl-ISAPI-4.0_32bit" />
<remove name="ExtensionlessUrl-ISAPI-4.0_64bit" />
<remove name="ExtensionlessUrl-Integrated-4.0" />
</handlers>

<validation validateIntegratedModeConfiguration="false" />

</system.webServer>



More Information


ASP.NET sites may deny access to anonymous users for most URLs within a website – while selectively allowing anonymous access to a web site’s home page.  For example, anonymous access to URLs like http://www.contoso.com and http://www.contoso.com/default.aspx is allowed, but all other URLs require authentication.  This can be accomplished inside of an application’s configuration like the following:
 
<location path="Default.aspx" >
  <system.web>      
    <authorization>        
      <allow users="*" />      
    </authorization>    
  </system.web>
</location>
 

This approach works because of the Default Document feature of IIS.  Default document handling transparently maps requests to paths like “/” or www.contoso.com to “/default.aspx” or www.contoso.com/default.aspx. Once this mapping occurs ASP.NET will see a request to default.aspx, associates that request with the <location /> tag that grants anonymous access, and the request is allowed to proceed.
 
However when ASP.NET 4 is used on Windows 7 SP1, the Extensionless URL feature will cause requests to URLs like “/” or www.contoso.com to be seen by ASP.NET in their un-mapped form.  This means, for example, that ASP.NET does not see a request for default.aspx when the initial request came in for "/".  As a result the <location /> tag granting anonymous access to default.aspx is never read, and the request is denied access.  Users may see behavior where requests to “/” will redirect them to the Forms Authentication login page, while requests explicitly made to “/default.aspx” will be allowed.