Authorization fails for requests to the Default Document after KB980368 is installed in Internet Information Services (IIS) 7.0 or 7.5

Consider the following scenario. You have a web server running Internet Information Services (IIS) 7.0 or 7.5. The web server hosts an ASP.NET 4.0 web application that is configured to use Forms Authentication and a Default Document. You install the Extensionless URL update described in the Microsoft knowledge base article KB980368 onto the web server. After this update is installed, HTTP requests sent to the root of the web application will fail and users will be forced to reauthenticate, even though the Default Document is set to allow users via the Authorization section of the IIS configuration file.
In this scenario, the pertinent sections of the IIS configuration will look similar to the following:

<system.web> <authentication mode="Forms">  <forms name="FormsCookie" defaultUrl="Home.aspx" loginUrl="Login.aspx" path="/" /> </authentication>  <authorization>  <deny users="?" />  <allow users="*" /> </authorization></system.web><location path="Default.aspx"><system.web> <authorization>  <allow users="*" /> </authorization></system.web></location>

Before the Extensionless URL update in KB980368 is installed, when a request is sent to the root of the site the IIS static file handler will act first and redirect the request to the configured Default Document. For example, if the Default Document is set to default.aspx and the site name is, sending a request to will automatically send the user to Next, ASP.NET will come in to play due to the .aspx extension of the request URL and will serve default.aspx to the user in accordance with the Authorization setting in the location tag section of the configuration file.

After the Extensionless URL update in KB980368 is installed, the ASP.NET Extensionless URL handler will act first for the request to ASP.NET determines that the URL requires authentication, so the user is redirected to the Forms Authentication login page before the IIS static file handler gets a chance to request the Default Document.

If your web application does not require the Extensionless URL feature, then the wildcard handlers can safely be removed from the application configuration. In the IIS Manager, under the Handler Mappings section for the application, remove the following handlers: 

  1. ExtensionlessUrl-Integrated-4.0
  2. ExtensionlessUrl-ISAPI-4.0_32bit
  3. ExtensionlessUrl-ISAPI-4.0_64bit

An update is available that enables certain IIS 7.0 or IIS 7.5 handlers to handle requests whose URLs do not end with a period

Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Artikelnummer: 2620604 – Letzte Überarbeitung: 10/21/2011 19:21:00 – Revision: 6.0

  • KB2620604