why does runAllManagedModulesForAllRequests="true" work for 403?

Question

Backstory; I develop MVC applications, and on most of my companies webservers, whenever I deploy and MVC app, I get 403 when trying to browse to that site. I know that

<system.webServer>
   <modules runAllManagedModulesForAllRequests="true"/> 
 </system.webServer>

is a solution to get rid of, atleast the 403's I always get on some of our webservers (if not all).

My question is this; Why does it work to fix the 403? what module is missing since I get an access denied? and what is a better solution than to run all modules?

Answer 1

Basically, the missing "bit" is the FormsAuthentication module.

The IIS core engine uses preconditions to determine when to enable a particular module. Performance reasons, for example, might determine that you only want to execute managed modules for requests that also go to a managed handler. The precondition in the following example (precondition="managedHandler") only enables the forms authentication module for requests that are also handled by a managed handler, such as requests to.aspx or.asmx files.

If you remove the attribute precondition="managedHandler", Forms Authentication also applies to content that is not served by managed handlers, such as.html, .jpg, .doc, but also for classic ASP (.asp) or PHP (.php) extensions

Key point here is " Forms Authentication also applies to content that is not served by managed handlers, such as.html, .jpg, .doc "

Setting runAllManagedModulesForAllRequests="true" effectively renders all modules to run all the time, no matter the precondition, which removed the precondition for the FormsAuthenticationModule .

https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview#preconditions