6

We have an IIS7 intranet site running under integrated pipeline that is mostly ASP.Net with a few legacy classic ASP pages. The site allows anonymous access to most areas, but uses Windows Authentication to protect certain folders. Requests to ASP.Net pages in the protected folders behave as expected (authorized users can see them, others are denied), but any user can see any classic ASP page in the protected folders, regardless of permissions.

I suspect the windows authentication module is not being invoked for requests to classic ASP pages. We're running in integrated pipeline mode, and I found this article (http://learn.iis.net/page.aspx/244/how-to-take-advantage-of-the-iis7-integrated-pipeline/) which indicates that you need to explicitly remove and re-add modules if you want to take advantage of the integrated pipeline for non-ASP.Net requests. I tried to copy the article's example only replacing FormsAuthenticationModule with WindowsAuthenticationModule by adding the following to the web.config at the application root: 

<system.webServer>
<modules>
        <remove name="WindowsAuthentication" />
        <add name="WindowsAuthentication" type="System.Web.Security.WindowsAuthenticationModule" preCondition="" />
</modules>
</system.webServer>

However, classic ASP pages are still being served regardless of permission.

Tom Wayson
  • 1,187
  • 1
  • 12
  • 21

1 Answers1

3

Classic ASP pages totally ignore web.config or any .config actually.

The only way to handle this for classic ASP is through IIS, you will have to move the classic ASP pages to be under separate virtual website then for that virtual website set Windows Authentication and disable Anonymous Access.

This might help you as well:
IIS7: Setup Integrated Windows Authentication like in IIS6

Community
  • 1
  • 1
Shadow The GPT Wizard
  • 66,030
  • 26
  • 140
  • 208
  • Thanks @shadowWizard, but I'm confused. I thought one of the benefits of integrated pipeline was that you could apply the ASP.Net security to any request (ASP.Net, classic ASP, even static content - html and images). From the article I linked to: "Allowing services provided by both native and managed modules to apply to all requests, regardless of handler. For example, managed Forms Authentication can be used for all content, including ASP pages, CGIs, and static files." If managed forms authentication can be applied, why not managed Windows authentication? – Tom Wayson Aug 17 '11 at 22:11
  • I'm no expert in this, but what I do know is that Windows Authentication means the following: the server send to the client browser some header saying "Please identify yourself". The client browser either send credentials automatically, or ask the user to type them, depending on browser type and settings. Now, all of this is happening "behind the scenes" and in the low level of browser/server communication. Forms Authentication is higher level. That's my pick on this, I hope someone who knows better will appear and explain it more accurately though. – Shadow The GPT Wizard Aug 18 '11 at 07:15