Forms Authentication Ignoring Default Document

I have spent a day and a half trying to resolve this issue. Bascially have an website with Forms Authentication on IIS7 using Framework 4.0.

The Authorization stuff seems to be working perfectly for every scenario with the exception of hitting it with no document specifed (Should resolve to Default Doc).

For example (Please don’t be harsh on site its still be developed 😉 ), works perfectly, this page should allow anon access as specified in the web.config.

but if I hit Directly it redirects to the login page with Return URL set to “/” or Login.aspx?ReturnUrl=%2f

Some things I have tried:

1) Set Authentication to None and then the Default document worked so thats not the issue.

2) Added DefaultDocument attribute to Web.config

3) Deleted all entries for in Default Document list in IIS except for Default.aspx

4) Added MachineKey entry in Config

5) Toggled from Integrated to Classic pipeline in IIS

Here is what’s in my config:

  <authentication mode="Forms">
    <forms name="appNameAuth" loginUrl="Login.aspx" protection="All" timeout="60" slidingExpiration="true" defaultUrl="Default.aspx" path="/">

 <location path="Default.aspx">

Thanks so much for your time and hope someone knows what is going on here.


Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

This was my solution:

In Global.asax, method: Application_BeginRequest, place the following:

if (Request.AppRelativeCurrentExecutionFilePath == "~/")  

Nice and simple, and you have a chance to build logic around what home page you want to use if your website uses multiple home pages based on configuration variables.


Method 2

I was seeing this same problem when attempting to hit the root path and I tried everything previously mentioned. It seems 4.0 adds two ExtensionlessUrl modules to applicationhost.config for IIS 7. You can remove these modules by adding the following to your web.config

    <remove name="ExtensionlessUrl-Integrated-4.0"/>
    <remove name=" ExtensionlessUrl-ISAPI-4.0_32bit "/>

Additional Information

Microsoft KB

How extensionless urls are handled by asp net v4

Method 3

I had a similar problem. No styles when I wasn’t logged in, redirected to the login-page (with a redirect url to a home-page) and entering (same homepage as the redirect url mentioned before) didn’t need a login.

Solution was:

  • Open IIS
  • Open IIS: Authentication
  • Open and edit Anonymous access
  • Check user (I changed the user to the app.pool user)
  • Give user rights on the root of the site (on the file system)

That worked out for me.

Good luck

Method 4

What I ended up doing to fix this is writing a few lines of code in my login page to check for a Request.QueryString[“ReturnUrl”] of “/”. If it found that, then it redirected to default.aspx.

I couldn’t find ANY way to make forms authentication not intercept calls without a page specified (e.g. 🙁 I even tried .NET 4 URL Routing and that didn’t prevent Forms Authentication from hijacking the request either.

Below is the code I used in login.aspx:

protected void Page_Load(object sender, EventArgs e)
    if (!(IsPostBack || IsAsync))
        string returnUrl = Request.QueryString["ReturnUrl"];
        if (returnUrl != null)
            if (returnUrl == "/")

Method 5

Johan’s solution worked for me, but only if the request was for the site root.

My site is organized like this:

  • www.[mysite].com/login.aspx
  • www.[mysite].com/default.aspx
  • www.[mysite].com/[somestuff]/default.aspx
  • www.[mysite].com/[morestuff]/default.aspx

After following Johan’s good advice, requests to www.[mysite].com got directed to the forms login page, and after login, the default page. However, if someone requested “/[somestuff]/”, it still wouldn’t work.

I got it to work by enabling anonymous authentication on the [somestuff] and [morestuff] directories, and then disabling it on the individual files within these directories. That’s not a security setup I want to support, given people could either get where they are going from default.aspx or just requesting [somestuff]/default.aspx to begin with. But now I know why it is failing. It seems you need anonymous access on directories on which you wish to use default documents.

Method 6

I had a similar problem today. I was trying use the integrated pipeline to secure resources (static files, php, etc.).

I had a rule in my root web.config that had , then I was allowing access to specific resources on a case by case basis.

This worked except that requests to “/” could never be authenticated (endlessly redirecting to the login page), while requests to “/Default.aspx” were fine.

My problem was because the Asp.Net UrlAuthentication module was enabled for all resource types, and apparently this doesn’t work for my scenario. Instead I had to change that module to work for managed resources only and install IIS7’s non-managed url authentication. I then had to configure that (since it uses different authentication settings), and make sure that the RoleManager was enabled for non-managed resources (since I was authenticating on roles). This URL might be helpful:

Method 7

I run into same problem and resolved this way:

in Global.asax beside Dmitry.Alk solution I added:

    if (Request.AppRelativeCurrentExecutionFilePath.ToLower() == "~/default.aspx")
    if (Request.AppRelativeCurrentExecutionFilePath.ToLower() == "~/")
    if (Request.AppRelativeCurrentExecutionFilePath.ToLower() == "~")

All methods was sourced from or, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x