Applying ASP.NET authentication accross all contents including classic ASP

In this post we will be talking about how to apply authentication accross all contents including classic ASP pages using ASP.NET authentication modules.

Before moving forward with this post lets discuss why am I writing a blog on such old technology and at what all scenarios is this applicable. So long story short, as you guys must have already understood this kind of feature will be handy when you are migrating some old/legacy application to some new technology such as cloud, or may be in containers. Recently while working for a client we had a requirement to migrate old on prem application to cloud. Basically we had to containerize the application using Docker and then run it in Service frabric cluster and apply authentication as we remediate the application. Now that we know the requirement lets proceed to see how easily we can achieve the above.

So basically we will leverage the power of IIS integrated pipeline to achieve the above requirement. Lets discuss a bit about IIS integrated pipeline and what are the features that comes out of the box with integrated pipeline.

IIS 6.0 and previous versions allowed the development of .NET application components via the ASP.NET platform. ASP.NET integrated with IIS via an ISAPI extension, and exposed its own application and request processing model. This effectively exposed two separate server pipelines, one for native ISAPI filters and extension components, and another for managed application components. ASP.NET components would execute entirely inside the ASP.NET ISAPI extension bubble and only for requests mapped to ASP.NET in the IIS script map configuration.

IIS 7.0 and above integrates the ASP.NET runtime with the core web server, providing a unified request processing pipeline that is exposed to both native and managed components known as modules. The many benefits of integration include:

  • Allowing services provided by both native and managed modules to apply to all requests, regardless of handler. For example, managed Forms Authentication can be used for all content, including ASP pages, CGIs, and static files.
  • Empowering ASP.NET components to provide functionality that was previously unavailable to them due to their placement in the server pipeline. For example, a managed module providing request rewriting functionality can rewrite the request prior to any server processing, including authentication.
  • A single place to implement, configure, monitor and support server features such as single module and handler mapping configuration, single custom errors configuration, single url authorization configuration.

Learn more about building IIS 7.0 and above modules in Developing IIS 7.0 and Above Modules and Handlers with the .NET Framework.


Since we are trying to run classic ASP and ASP.NET application in IIS, we need to enable windows features that will let IIS serve classic ASP pages and ASP.NET pages. In “Turn on or off Windows features”. Then open “Internet Information Services” — “World Wide Web Services” — “Application Development Features” — check “ASP.NET” and “ASP”

If you are plannning to do that inside windows containers, since we dont have UI over there, we will require either powershell or cmd to enable these features.

Powershell script for the above operation is as follows:

  • Add-WindowsFeature -name Web-ASP

Enabling Forms Authentication for the Entire Application

In order to take advantage of ASP.NET integration, our application must be configured to run in Integrated mode. The ASP.NET integration mode is configurable per application pool, enabling ASP.NET applications in different modes to be hosted side by side on the same server. The default application pool in which our application lives already uses Integrated mode by default, so we do not need to do anything here.

But unfortunately only uing integrated mode will not serve the purpose. Why? The answer lies in the default settings for all ASP.NET modules shipped with IIS 7.0 and above.

Taking Advantage of the Integrated Pipeline

The default configuration for all managed modules shipped with IIS 7.0 and above, including the Forms Authentication and URL Authorization modules, uses a precondition so that these modules only apply to content that an (ASP.NET) handler manages. This is done for backwards compatibility reasons.

By removing the precondition, we make the desired managed module execute for all requests to the application, regardless of content. This is necessary in order to protect our static files, and any other application content with Forms-based authentication.

Lets see how we can achieve this using IIS manager:

1st of all we have to ensure the app pool for pur website is set to integrated mode like this:

Now that we have created our website with app pool .NET 4.5 integrated (for our requirement), we will have to go to modules and change few default settings there.

Note: We have selected the FormsAuthenticationModule and unselected the check box below to allow the module to run for all file types.

To achieve this in code, open the application’s web.config file and paste the following lines immediately below the first <configuration> element:

<remove name="FormsAuthenticationModule" />
<add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" />
<remove name="UrlAuthorization" />
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
<remove name="DefaultAuthentication" />
<add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />

This configuration re-adds the module elements without the precondition, enabling them to execute for all requests to the application.

Allow authetication in code:

Now that we have all the settings in place, lets see how to enable authetication for individual files, or all files accross solution using ASP.NET authetication. If you are familiar with authetication in ASP.NET we will be using the same approach here.

Not going into details about how to use forms authetiation or stuffs like that because this is not the scope of this post, but yes now that we have enabled IIS settings we can use authetication module to autheticate each and every file.

As you are already aware of this is simple configuration to enable authetication for all files in the application.

<allow users="*"/>
<deny users="?"/>


So we have seen in this post how to use ASP.NET authentication module for all files even if its not a .NET managed code.

Cloud architect | polyglot developer focusing on Azure, microservices, DevOps and Docker.