Question

I think I'm missing something obvious, but with WIF configured, I can directly access files on my web site. E.g., https://mysite.com/MyWifApplication/ArbitraryFile.pdf is accessible without hitting my STS for credentials.

In web.config, I have the typical 

<authorization>
   <deny users="?" />
</authorization>

However, I am not challenged for authentication.

Please tell me I'm just missing something dumb.

Thanks!

Was it helpful?

Solution

you need to add the "runAllManagedModuleForAllRequests=true" to the modules section in system.webServer.

Otherwise the FAM/SAM will not kick in for static files.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top