One side effect of using Pretty URLs in IIS7 is that IIS7 doesn’t authenticate these URLs because they don’t have the .aspx file extension.  Here is a quick tip on how to fix it.

IIS7 Authentication only authenticates against .aspx file extensions by default.  This means, that if you try to create a pretty URL (http://tim-stanley.com/page/about/), then the UTL isn’t authenticated the same way if it had a .aspx page extension (http://tim-stanley.com/page/about.aspx).

Normal .aspx Results

Sample URL: http://tim-stanley.com/page/about.aspx

HttpContext.Current.User.Identity.IsAuthenticated => true
HttpContext.Current.User.IsInRole("Administrators")) => true
System.Threading.Thread.CurrentPrincipal.Identity.IsAuthenticated => true
System.Threading.Thread.CurrentPrincipal.IsInRole("Administrators") => true

Html Extension Results

Sample URL http://tim-stanley.com/page/about.html

Sample URL http://tim-stanley.com/page/about/

Because both URL’s above are not .aspx files, they both return the same results (i.e. Isinrole, is false).

HttpContext.Current.User.Identity.IsAuthenticated => true
HttpContext.Current.User.IsInRole("Administrators")) => false
System.Threading.Thread.CurrentPrincipal.Identity.IsAuthenticated => false
System.Threading.Thread.CurrentPrincipal.IsInRole("Administrators") => false

The Fix

After much research, I found a solution to this perplexing problem.  The key was in in searching for and finding the schema file that had the keywords.  I believe this fix will also change authentication for *.axd handlers as well.

C:\Windows\System32\inetsrv\config\schema\IIS_schema.xml

IIS7 Forms authentication changes in the section: <system.webServer>

<modules runAllManagedModulesForAllRequests="true" >
	<remove name="FormsAuthentication" />
	<add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" preCondition="integratedMode" />
	<remove name="UrlAuthorization" />
	<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" preCondition="integratedMode" />
	<remove name="DefaultAuthentication" />
</modules>

Changing the above web.config entries will also change the results.  The new results are listed below.

HttpContext.Current.User.Identity.IsAuthenticated => true
HttpContext.Current.User.IsInRole("Administrators")) => true
System.Threading.Thread.CurrentPrincipal.Identity.IsAuthenticated => true
System.Threading.Thread.CurrentPrincipal.IsInRole("Administrators") => true

References

• http://learn.iis.net/page.aspx/543/administration-pack/
• http://learn.iis.net/page.aspx/244/how-to-take-advantage-of-the-iis7-integrated-pipeline/rev/4
• http://mvolo.com/blogs/serverside/archive/2007/11/01/IIS7-configuration-sections-exposed.aspx