I'm supporting a site that still uses mixed ASP.Net and classic ASP. The user receives a 'You are not authorized' error page while accessing certain classic ASP page. I've checked her active directory account and she could had access other pages in the said site. I wonder if it could be arttributed to classic ASP or to IIS.
views:
423answers:
3ASP is a very simple framework. I cannot imagine it having its own security framework (i assume that means user authentication etc.) unless it was programmed into the application itself.
ASP is entirely dependant on the underlying IIS and the OS for security. It has none of its own. In ASP you access Request.ServerVariables("AUTH_USER")
etc when the connection authenticated but this is done by IIS.
You can force ASP to use the ASP.NET authentication by making a few changes in IIS so ASP files are using the aspnet_isapi.dll just like the asp.net pages.
Scott Guthrie published an article about this Tip/Trick: Integrating ASP.NET Security with Classic ASP and Non-ASP.NET URLs
Once you make this change classic asp pages can be protected just as asp.net pages using the standard asp.net security features.