ASP.NET 2.0 and 4.0 seem to treat the root url differently in Forms Authentication

Question

If have the following web.config:

<configuration>
  <system.web>
    <authentication mode="Forms">
      <forms name="MembershipCookie" 
             loginUrl="Login.aspx" 
             protection="All" 
             timeout="525600" 
             slidingExpiration="true" 
             enableCrossAppRedirects="true" 
             path="/" />
    </authentication>
    <authorization>
      <deny users="?"  />
    </authorization>
  </system.web>
  <location path="Default.aspx">
    <system.web>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>
  </location>
</configuration>

The application is an ASP.NET 2.0 application running on Windows 2008R2/IIS7.5.

If the site's application pool is configured to run ASP.NET 2.0 and I browse to http://example.com then Default.aspx is rendered as you'd expect from the rules above.

However if the application pool is set to run ASP.NET 4.0 I am redirected to the login page. If I explicitly specify http://example.com/default.aspx then all is good and default.aspx renders.

I've tried rewriting / -> /default.aspx (using IIS UrlRewriter 2.0) but the result is still the same, I get kicked to the login page.

I've also tried this with an ASP.NET 4.0 application with the same result (which is where the problem initially arose). The reason I tried this with a 2.0 application was to see if there was a change in behaviour, and it seems that / is handled differently in 4.0.

So to summarise, using the configuration above the following is observed:

ASP.NET Version  Url                                 Behaviour
-------------------------------------------------------------------------
2.0              http://example.com                  Renders Default.aspx
2.0              http://example.com/Default.aspx     Renders Default.aspx
4.0              http://example.com                  Redirects to Login.aspx
4.0              http://example.com/Default.aspx     Renders Default.aspx

Is this a bug/breaking change or have I missed something glaringly obvious?

Update:

I have got to the bottom of this issue, see my own answer below.

Answer 1

Found the culprit. As part of our WebDeploy 2.0/WebMatrix server side changes this hotfix is recommended by the WebMatrix Server Validator:

MS KB:980368 - A update is available that enables certain IIS 7.0 or IIS 7.5 handlers to handle requests whose URLs do not end with a period

Installing this hot fix causes ASP.NET 4.0 to change the Forms Authentication behaviour where just the domain name part of a url is requested.

Update 1:

This QFE is also part of Windows 2008R2 SP1 and will also break ASP.NET 4.0's Forms Authentication in the manner described above.

Update 2:

In addition this also breaks default document handling when running classic ASP applications in an application pool configured to run as ASP.NET & Classic Pipeline mode.

The server returns a 404.2 - Not Found error.

The same breaking change applies to Windows 2008R2 SP1.

Update 3:

I reported this to MS PSS and they confirmed a breaking change in behaviour. They created this KB article in response to us (and presumably others) having been affected by it:

Web services may fail on Microsoft Internet Information Services (IIS) 7.5 and Windows 7 Service Pack 1 with .NET Framework 4.0 due to extensionless URL handlers

In my own case I basically remove (or advise customers to) the extensionless handlers if impacted by this problem:

<configuration>
  <system.webServer>
    <handlers>
      <remove name="ExtensionlessUrl-Integrated-4.0" />
      <remove name="ExtensionlessUrl-ISAPI-4.0_64bit" />
      <remove name="ExtensionlessUrl-ISAPI-4.0_32bit" />
    </handlers>
  </system.webServer>
</configuration>