Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. Users may be redirected to the login page of an ASP.NET 4 application after installing Windows 7 Service Pack 1

Users may be redirected to the login page of an ASP.NET 4 application after installing Windows 7 Service Pack 1

View products that this article applies to.

Symptoms

Consider the following scenario. You have a Microsoft Windows 7 server running Microsoft Internet Information Services (IIS) and the .NET Framework 4.0. The IIS web application is configured to use Forms Authentication, allows anonymous users access to the application's home page, and the application relies on the IIS Default Document feature to map requests from "/" to default.aspx. After installing Windows 7 Service Pack 1, users may be redirected to the Forms Authentication login page for the application when attempting to access the application's home page.



↑ Back to the top

Cause

Microsoft has confirmed that this is a problem in the products listed in the applies-to section.

The Extensionless URL feature introduced in Windows 7 Service Pack 1 interferes with the way ASP.NET parses URLs that would normally be handled by the Default Document setting. This leads to anonymous access failing for certain URLs, causing the user to be redirected to the Forms Authentication login page to reauthenticate.


↑ Back to the top

Resolution

To work around this problem, developers can disable the Extensionless URL processing in their application by adding the following configuration elements to the application's web.config file - IMPORTANT: This configuration sample is illustrated for example purposes only and is not meant to be copy and pasted into your configuration file.  Always backup your configuration files before making any changes.



<system.webServer>
 
     <handlers>
          <remove name="ExtensionlessUrl-ISAPI-4.0_32bit" />
          <remove name="ExtensionlessUrl-ISAPI-4.0_64bit" />
          <remove name="ExtensionlessUrl-Integrated-4.0" />
     </handlers>
 
     <validation validateIntegratedModeConfiguration="false" />
 
</system.webServer>



↑ Back to the top

More Information

ASP.NET sites may deny access to anonymous users for most URLs within a website – while selectively allowing anonymous access to a web site’s home page.  For example, anonymous access to URLs like http://www.contoso.com and http://www.contoso.com/default.aspx is allowed, but all other URLs require authentication.  This can be accomplished inside of an application’s configuration like the following:
 
<location path="Default.aspx" >
  <system.web>      
    <authorization>        
      <allow users="*" />      
    </authorization>    
  </system.web>
</location>
 

This approach works because of the Default Document feature of IIS.  Default document handling transparently maps requests to paths like “/” or www.contoso.com to “/default.aspx” or www.contoso.com/default.aspx. Once this mapping occurs ASP.NET will see a request to default.aspx, associates that request with the <location /> tag that grants anonymous access, and the request is allowed to proceed.
 
However when ASP.NET 4 is used on Windows 7 SP1, the Extensionless URL feature will cause requests to URLs like “/” or www.contoso.com to be seen by ASP.NET in their un-mapped form.  This means, for example, that ASP.NET does not see a request for default.aspx when the initial request came in for "/".  As a result the <location /> tag granting anonymous access to default.aspx is never read, and the request is denied access.  Users may see behavior where requests to “/” will redirect them to the Forms Authentication login page, while requests explicitly made to “/default.aspx” will be allowed.


↑ Back to the top

Keywords: kb

↑ Back to the top

Article Info
Article ID : 2526854
Revision : 1
Created on : 1/7/2017
Published on : 3/23/2011
Exists online : False
Views : 221