A while ago, my ASP.NET 2.0 application seemed to ignore /configuration/system.web/authorization setting and authorised everyone to have access, while it should not. Application was deployed on IIS 6.0 (Windows 2003 Standard SP), with customised application pool with domain user as app pool identity. Impersonalization was off.
What was strange during access:
- via hostname, no one was authorised – 401.1 Invalid credentials form IIS 6.0,
- via IP address, everyone was authorised – after a user-password given and user was authenticated.
I have to investigate further what causes that behaviour… Anyway it seems that ASP.NET application falls back to ACL based authorization so setting ACL to proper values is quick-but-not-permanent solution to the problem.
Give me a hint if the same happened to you and you know possible cause.