Authorization fails for requests to the Default Document after KB980368 is installed in Internet Information Services (IIS) 7.0 or 7.5
Consider the following scenario. You have a web server running Internet Information Services (IIS) 7.0 or 7.5. The web server hosts an ASP.NET 4.0 web application that is configured to use Forms Authentication and a Default Document. You install the Extensionless URL update described in the Microsoft knowledge base article KB980368 onto the web server. After this update is installed, HTTP requests sent to the root of the web application will fail and users will be forced to reauthenticate, even though the Default Document is set to allow users via the Authorization section of the IIS configuration file.
In this scenario, the pertinent sections of the IIS configuration will look similar to the following:
<system.web> <authentication mode="Forms"> <forms name="FormsCookie" defaultUrl="Home.aspx" loginUrl="Login.aspx" path="/" /> </authentication> <authorization> <deny users="?" /> <allow users="*" /> </authorization></system.web><location path="Default.aspx"><system.web> <authorization> <allow users="*" /> </authorization></system.web></location>
Before the Extensionless URL update in KB980368 is installed, when a request is sent to the root of the site the IIS static file handler will act first and redirect the request to the configured Default Document. For example, if the Default Document is set to default.aspx and the site name is http://www.mysite.com, sending a request to http://www.mysite.com will automatically send the user to http://www.mysite.com/default.aspx. Next, ASP.NET will come in to play due to the .aspx extension of the request URL and will serve default.aspx to the user in accordance with the Authorization setting in the location tag section of the configuration file.
After the Extensionless URL update in KB980368 is installed, the ASP.NET Extensionless URL handler will act first for the request to http://www.mysite.com.
ASP.NET determines that the URL requires authentication, so the user is redirected to the Forms Authentication login page before the IIS static file handler gets a chance to request the Default Document.
If your web application does not require the Extensionless URL feature, then the wildcard handlers can safely be removed from the application configuration. In the IIS Manager, under the Handler Mappings section for the application, remove the following handlers:
for other considerations.
Article ID: 2620604 - Last Review: 10/21/2011 19:21:00 - Revision: 6.0