Forms Authentication Ignoring Default Document

Question

I have spent a day and a half trying to resolve this issue. Bascially have an ASP.net website with Forms Authentication on IIS7 using Framework 4.0.

The Authorizati

Answer 1

I had a similar problem. No styles when I wasn't logged in, www.site.nl\ redirected to the login-page (with a redirect url to a home-page) and entering www.site.nl\Home (same homepage as the redirect url mentioned before) didn't need a login.

Solution was:

• Open IIS
• Open IIS: Authentication
• Open and edit Anonymous access
• Check user (I changed the user to the app.pool user)
• Give user rights on the root of the site (on the file system)

That worked out for me.

Good luck

Answer 2

Johan's solution worked for me, but only if the request was for the site root.

My site is organized like this:

• www.[mysite].com/login.aspx
• www.[mysite].com/default.aspx
• www.[mysite].com/[somestuff]/default.aspx
• www.[mysite].com/[morestuff]/default.aspx

After following Johan's good advice, requests to www.[mysite].com got directed to the forms login page, and after login, the default page. However, if someone requested "/[somestuff]/", it still wouldn't work.

I got it to work by enabling anonymous authentication on the [somestuff] and [morestuff] directories, and then disabling it on the individual files within these directories. That's not a security setup I want to support, given people could either get where they are going from default.aspx or just requesting [somestuff]/default.aspx to begin with. But now I know why it is failing. It seems you need anonymous access on directories on which you wish to use default documents.

Answer 3

I was seeing this same problem when attempting to hit the root path and I tried everything previously mentioned. It seems Asp.net 4.0 adds two ExtensionlessUrl modules to applicationhost.config for IIS 7. You can remove these modules by adding the following to your web.config

<system.webServer>
  <handlers>
    <remove name="ExtensionlessUrl-Integrated-4.0"/>
    <remove name=" ExtensionlessUrl-ISAPI-4.0_32bit "/>
  </handlers>
</system.webServer>

Additional Information

Microsoft KB

How extensionless urls are handled by asp net v4

Answer 4

I run into same problem and resolved this way:

in Global.asax beside Dmitry.Alk solution I added:

    if (Request.AppRelativeCurrentExecutionFilePath.ToLower() == "~/default.aspx")
        HttpContext.Current.RewritePath("Default.aspx");
    if (Request.AppRelativeCurrentExecutionFilePath.ToLower() == "~/")
        HttpContext.Current.RewritePath("Default.aspx");
    if (Request.AppRelativeCurrentExecutionFilePath.ToLower() == "~")
        HttpContext.Current.RewritePath("Default.aspx");

Answer 5

What I ended up doing to fix this is writing a few lines of code in my login page to check for a Request.QueryString["ReturnUrl"] of "/". If it found that, then it redirected to default.aspx.

I couldn't find ANY way to make forms authentication not intercept calls without a page specified (e.g. www.mysite.com). :( I even tried .NET 4 URL Routing and that didn't prevent Forms Authentication from hijacking the request either.

Below is the code I used in login.aspx:

protected void Page_Load(object sender, EventArgs e)
{
    if (!(IsPostBack || IsAsync))
    {
        string returnUrl = Request.QueryString["ReturnUrl"];
        if (returnUrl != null)
            if (returnUrl == "/")
                Response.Redirect("default.aspx");
    }
}

Answer 6

This was my solution:

In Global.asax, method: Application_BeginRequest, place the following:

if (Request.AppRelativeCurrentExecutionFilePath == "~/")  
   HttpContext.Current.RewritePath("HomePage.aspx");

Nice and simple, and you have a chance to build logic around what home page you want to use if your website uses multiple home pages based on configuration variables.

Dmitry.Alk