Symptom:
A file handled by EPiServer versioned VPP is not delivered when using Windows integrated authentication. If you look in the EPiServer log files the UnauthorizedException are showed.
Back ground:
When a server running Windows integrated authentication, the server can’t guarantee that it always sends information about the logged in user. Windows integrated authentication are based on that when a non authorized request comes to the server it should respond with HTTP status 401, and the browser should relogin the user.
A bug in the Versioned VPP make it throw an UnauthorizedException when a request without logon information – and the browser sees it only as an ServerError and can’t relogon the user.
Workaround:
If only logged in users should access this provider we can force IIS to handle the HTTP status 401 for us by protect the VPPs root folder with setting the authorization tag to only accept logged on users.
<location path="pages">
<system.web>
<authorization>
<allow roles="*" />
<deny users="?" />
</authorization>
<httpHandlers>
<add path="WebResource.axd"
verb="GET"
type="System.Web.Handlers.AssemblyResourceLoader"
validate="true" />
<add path="*"
verb="*"
type="EPiServer.Web.StaticFileHandler, EPiServer"
validate="true" />
</httpHandlers>
</system.web>
<staticFile expirationTime="-1.0:0:0" />
</location>