ASP.NET Security Puzzle -- Need Explanation
I've got an ASP.NET website that has several IIS sub-applications running on it. Some of the sub-apps have authentication=None and were always working fine. I recently changed the root app to have authentication=Forms, with authorization denying anonymous users. Several tests since that time have always shown the sub-apps still working, as expected since they are separate applications in IIS and ASP.NET. Now all of a sudden, with no difference that I know of, one of these sub-apps started popping up the Windows Integrated Security dialog. Looking in IIS showed that anonymous access was still granted on the folders and files of this app. I also verified that the security permissions for all users were identical with this app and ones still working. I changed the root app back to what it was, and that didn't fix anything, but I didn't expect it too anyhow. Somewhere along the way in my checking, one of the other sub-apps also started having this behavior. I don't know of anything I changed that could possibly have this behavior right in front of my very eyes! I couldn't figure out any explanation, and therefore no fix, since the only way I know for this dialog to pop up is either anonymous denied in IIS or file/folder security settings. My colleague finally took a web.config file from one of the working sub-apps and put it in one of the non-working apps -- and it worked! The only difference we could find between the web.config files was that the non-working app did not have an authorization section. Of course, it also had authentication=None, and anonymous users were allowed in IIS, so I don't see how this could matter. We looked at the other non-working app's web.config and it was also missing the authorization section, so we added it -- and it worked too! By the way, this authorization section simply says to allow authenticated users -- it does not even mention anonymous users. Even if the app root were affecting this, it also allowed authenticated users except in one unrelated sub-folder, so again I don't see how this change really could help. I've since tried removing authorization sections on a few of my local web apps and it has yet to make any difference. Also, to the best of my knowledge, nothing in the first sub-app changed, and I know the other one quit working right before my eyes, again not touching it since it was the other one that was being checked. I still cannot fathom why adding an authorization section, especially one that does not even mention anonymous users, could make a difference. Anyone know of an explanation, or some other things that I should look out for that could cause the Windows login dialog to popup?