We have an IIS7 intranet site running under integrated pipeline that is mostly ASP.Net with a few legacy classic ASP pages. The site allows anonymous access to most areas, but uses Windows Authentication to protect certain folders. Requests to ASP.Net pages in the protected folders behave as expected (authorized users can see them, others are denied), but any user can see any classic ASP page in the protected folders, regardless of permissions.
I suspect the windows authentication module is not being invoked for requests to classic ASP pages. We're running in integrated pipeline mode, and I found this article (http://learn.iis.net/page.aspx/244/how-to-take-advantage-of-the-iis7-integrated-pipeline/) which indicates that you need to explicitly remove and re-add modules if you want to take advantage of the integrated pipeline for non-ASP.Net requests. I tried to copy the article's example only replacing FormsAuthenticationModule with WindowsAuthenticationModule by adding the following to the web.config at the application root:
<system.webServer>
<modules>
<remove name="WindowsAuthentication" />
<add name="WindowsAuthentication" type="System.Web.Security.WindowsAuthenticationModule" preCondition="" />
</modules>
</system.webServer>
However, classic ASP pages are still being served regardless of permission.
