Today one of my colleagues had an issue with IIS authentication of requests going to .Net 2's WebResource.axd file to serve embedded control resources. The problem was that we wanted the site to run under integrated security, but there was one page in the site that needed to run under basic authentication because it was being portalised (through Plumtree). That page used a web control that had an embedded resource which of course resulted in a call to WebResource.axd being made. This call however was breaking when it was being proxied by Plumtree. If we set the whole application to use basic authentication, access to WebResource.axd worked just fine. This indicated to us that it was inheriting the permissions of the root folder so we came up with a little workaround that allowed us to set the IIS security for the virtual file. The process we followed was as follows:
-
Create a blank WebResource.axd file in the root of the application
-
Go into IIS manager and set the authentication on the file to "Basic Authentication"
-
Using explorer delete the WebResource.axd file
This seems to work like a charm. Our rational for why it works is that the IIS
Metadatabase entry for WebResource.axd still exists and therefore it applies those
custom security settings as opposed to simply taking the parent's settings.