If have the following web.config:
<configuration>
<system.web>
<authentication mode="Forms">
<forms name="MembershipCookie"
loginUrl="Login.aspx"
protection="All"
timeout="525600"
slidingExpiration="true"
enableCrossAppRedirects="true"
path="/" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
<location path="Default.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
</configuration>
The application is an ASP.NET 2.0 application running on Windows 2008R2/IIS7.5.
If the site’s application pool is configured to run ASP.NET 2.0 and I browse to http://example.com then Default.aspx is rendered as you’d expect from the rules above.
However if the application pool is set to run ASP.NET 4.0 I am redirected to the login page. If I explicitly specify http://example.com/default.aspx then all is good and default.aspx renders.
I’ve tried rewriting / -> /default.aspx (using IIS UrlRewriter 2.0) but the result is still the same, I get kicked to the login page.
I’ve also tried this with an ASP.NET 4.0 application with the same result (which is where the problem initially arose). The reason I tried this with a 2.0 application was to see if there was a change in behaviour, and it seems that / is handled differently in 4.0.
So to summarise, using the configuration above the following is observed:
ASP.NET Version Url Behaviour ------------------------------------------------------------------------- 2.0 http://example.com Renders Default.aspx 2.0 http://example.com/Default.aspx Renders Default.aspx 4.0 http://example.com Redirects to Login.aspx 4.0 http://example.com/Default.aspx Renders Default.aspx
Is this a bug/breaking change or have I missed something glaringly obvious?
Update:
I have got to the bottom of this issue, see my own answer below.
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
Found the culprit. As part of our WebDeploy 2.0/WebMatrix server side changes this hotfix is recommended by the WebMatrix Server Validator:
Installing this hot fix causes ASP.NET 4.0 to change the Forms Authentication behaviour where just the domain name part of a url is requested.
Update 1:
This QFE is also part of Windows 2008R2 SP1 and will also break ASP.NET 4.0’s Forms Authentication in the manner described above.
Update 2:
In addition this also breaks default document handling when running classic ASP applications in an application pool configured to run as ASP.NET & Classic Pipeline mode.
The server returns a 404.2 - Not Found error.
The same breaking change applies to Windows 2008R2 SP1.
Update 3:
I reported this to MS PSS and they confirmed a breaking change in behaviour. They created this KB article in response to us (and presumably others) having been affected by it:
In my own case I basically remove (or advise customers to) the extensionless handlers if impacted by this problem:
<configuration>
<system.webServer>
<handlers>
<remove name="ExtensionlessUrl-Integrated-4.0" />
<remove name="ExtensionlessUrl-ISAPI-4.0_64bit" />
<remove name="ExtensionlessUrl-ISAPI-4.0_32bit" />
</handlers>
</system.webServer>
</configuration>
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0