Secure sub site with static html pages with forms authentication of parent site

Question

I have a ASP .NET MVC site in IIS 8 which is secured using forms authentication. Within this site I have sub-site (which is an application created via "Add application" option in IIS 8). This sub-site consists of static html pages. So for e.g. my main site URL is www.site.com. The sub-site url is www.site.com/mysite.

I need to configure mysite such that if user is logged into www.site.com then only can access mysite. Trying to access mysite directly should redirect to the www.site.com login page.

I have googled a lot on this and found some articles in SO.

Attempt 1: How do I protect static files with ASP.NET form authentication on IIS 7.5?

Based on this SO question, I tried by making changes to the web.config of the the parent site. I am mentioning it here

<system.webServer>
    <modules>
      <add  name="FormsAuthenticationModule"  type="System.Web.Security.FormsAuthenticationModule" />
      <remove  name="UrlAuthorization" />
      <add  name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule"  />
      <remove  name="DefaultAuthentication" />
      <add  name="DefaultAuthentication"  type="System.Web.Security.DefaultAuthenticationModule" />
    </modules>
 </system.webServer>

<system.web>
    <authorization>
        <deny users="?" />
    </authorization>
     <authentication mode="Forms">
    <forms defaultUrl="/Home/Index" loginUrl="/" protection="All" timeout="90">
    </forms>
  </authentication>
</system.web> 

However with these settings, when I try to open www.site.com/mysite, it does redirect me to login page with www.site.com?returnUrl=mysite. However after login it again redirects me to login page

Attempt 2: How to do Forms Authentication on purely HTML pages using ASP.NET?

As per this SO question, I tried making the child site www.site.com/mysite to be handled by ASP .NET by adding below in the web.config of the child site (mysite). However no joy

<compilation>
    <buildProviders>
        <add extension=".html" type="System.Web.Compilation.PageBuildProvider" />
        <add extension=".htm" type="System.Web.Compilation.PageBuildProvider" />
    </buildProviders>
</compilation>

Attempt 3:

I tried adding the Forms Authentication and Authorization settings directly in the web.config file of the child site (www.site.com/mysite)

<system.web>
        <authorization>
            <deny users="?" />
        </authorization>
         <authentication mode="Forms">
        <forms defaultUrl="/Home/Index" loginUrl="/" protection="All" timeout="90" domain="site.com">
        </forms>
      </authentication>
    </system.web> 

The important thing to note here is the

domain

attribute added to the Forms tag. Still no joy!

Now I am wondering whether what I am trying is possible at all ? Or is there any alternate solution that I may not be aware of ?

Answer 1

The solution was as follows:

Step 1

Make the subsite with static html pages to be handled by the ASP .NET

<compilation>
    <buildProviders>
        <add extension=".html" type="System.Web.Compilation.PageBuildProvider" />
        <add extension=".htm" type="System.Web.Compilation.PageBuildProvider" />
    </buildProviders>
</compilation>

Step 2:

Share the forms authentication key between the parent(main) site and the child (sub) site i.e. add below in both the parent site web.config as well as the child site web.config

<system.web>
<machineKey decryptionKey="Yourdecryptionkey" validationKey="Your validation 
    key" />
</system.web>

• In order to generate these keys, in IIS select your site.
• Double click on MachineKey option in the right side pane.
• Here uncheck the options "Automatically generate at runtime" and "Generate unique key for each application" for validation key and decryption key. This will populate the Validation key and decryption key boxes. Now you can copy these keys and use it in your child site