In IIS7 under Windows Server 2008, I have a virtual directory with anonymous access off and Windows authentication on. In my web.config, I have:
<authentication mode="Windows"/>
<authorization>
<allow roles="MYGROUP"/>
<deny users="*"/>
</authorization>
and
<system.webServer>
<!-- IIS7 security settings -->
<security>
<authorization>
<add accessType="Deny" users="*"/>
<add accessType="Allow" roles="MYGROUP"/>
</authorization>
</security>
</system.webServer>
Yet when I access default.aspx from IE and set a breakpoint in Global.asax.vb Application_AuthenticateRequest(), I get a null HttpContext.Current.User where I am expecting my own identity. It is almost as if Anonymous Access is on?
What can I do to troubleshoot this? Everything seems to work in IIS6.
The answer to of moving the Application Pool back to classical is just delaying the problem.
Instead leave the application pool alone and move your authenticate check from Application_AuthenticateRequest(), to the next function in the pipeline:
Application_AuthorizeRequest(object sender, EventArgs e)
By then the integrated Application Pool has completed the windows authentication allow you not to receive null from HttpContext.Current.User.
The pipeline can be found here (link provided by CarlosAg).
A visualization of the pipeline can be found on the asp website message lifecycle page. In the controller section checkout the two green boxes "Authentication filters" and "Authorization filters". These are the areas you are messing with.