Pretty URLs And IIS7 Authentication

May 11, 2009
by:   Tim Stanley

One side effect of using Pretty URLs in IIS7 is that IIS7 doesn’t authenticate these URLs because they don’t have the .aspx file extension.  Here is a quick tip on how to fix it.

IIS7 Authentication only authenticates against .aspx file extensions by default.  This means, that if you try to create a pretty URL (http://tim-stanley.com/page/about/), then the UTL isn’t authenticated the same way if it had a .aspx page extension (http://tim-stanley.com/page/about.aspx).

Normal .aspx Results

Sample URL: http://tim-stanley.com/page/about.aspx

HttpContext.Current.User.Identity.IsAuthenticated => true
HttpContext.Current.User.IsInRole("Administrators")) => true
System.Threading.Thread.CurrentPrincipal.Identity.IsAuthenticated => true
System.Threading.Thread.CurrentPrincipal.IsInRole("Administrators") => true

Html Extension Results

Sample URL http://tim-stanley.com/page/about.html

Sample URL http://tim-stanley.com/page/about/

Because both URL’s above are not .aspx files, they both return the same results (i.e. Isinrole, is false).

HttpContext.Current.User.Identity.IsAuthenticated => true
HttpContext.Current.User.IsInRole("Administrators")) => false
System.Threading.Thread.CurrentPrincipal.Identity.IsAuthenticated => false
System.Threading.Thread.CurrentPrincipal.IsInRole("Administrators") => false

The Fix

After much research, I found a solution to this perplexing problem.  The key was in in searching for and finding the schema file that had the keywords.  I believe this fix will also change authentication for *.axd handlers as well.

C:\Windows\System32\inetsrv\config\schema\IIS_schema.xml

IIS7 Forms authentication changes in the section: <system.webServer>

   1: <modules runAllManagedModulesForAllRequests="true" >
   2:     <remove name="FormsAuthentication" />
   3:     <add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" preCondition="integratedMode" />
   4:     <remove name="UrlAuthorization" />
   5:     <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" preCondition="integratedMode" />
   6:     <remove name="DefaultAuthentication" />
   7: </modules>

Changing the above web.config entries will also change the results.  The new results are listed below.

HttpContext.Current.User.Identity.IsAuthenticated => true
HttpContext.Current.User.IsInRole("Administrators")) => true
System.Threading.Thread.CurrentPrincipal.Identity.IsAuthenticated => true
System.Threading.Thread.CurrentPrincipal.IsInRole("Administrators") => true

References

Add to favorites Send to a friend Digg It! DZone It! StumbleUpon Technorati Reddit Del.icio.us NewsVine Furl BlinkList