The environment is an integrated pipeline of IIS 7, ASP.NET 4.0. I have a .aspx page configured without anonymous authentication and with Windows authentication:
<location path="auth/windows"> <system.webServer> <security> <authentication> <anonymousAuthentication enabled="false" /> <windowsAuthentication enabled="true" /> </authentication> </security> </system.webServer> </location>
When I request a page, a regular Windows authentication request (NTLM / Negotiate) occurs, and the page eventually returns.
I have an HttpModule in which I am handling the PostAuthorize event. As expected, this event only occurs after authentication with the request and response succeeds and access to the page is allowed.
However, the Request.IsAuthenticated property is false; and HttpContext.Current.User.Identity reflects an unauthenticated user (.Name returns an empty string). Interestingly, Request.ServerVariables ["LOGON_USER"] returns the value of an authenticated Windows user.
I would think that as soon as the user is authenticated (and allowed, for that matter), the request will reflect authentication; and the User / Identifier for the request would be correctly set.
Any thoughts on why this is not so?
Thanks,
Donnie
source share