The next step is to build the functionality inside of the ASP.NET application to support forms authentication for classic ASP users. The general idea is that with both ASP pages and ASP.NET pages located in same virtual directory (and, thus, the same application in IIS 7.0), you want unauthenticated users to be forced to authenticate using ASP.NET's forms authentication mechanism.
After a user successfully logs in with forms authentication, the user should be redirected to the original requested page. This should occur regardless of whether the originally requested resource was an ASP.NET page or a classic ASP page. On subsequent requests, again regardless of the type of requested resource, you want ASP.NET to transparently verify the validity of the forms authentication cookie and then pass the request along.
For starters, you need to configure the ASP.NET application with the basics necessary to enable forms authentication and enforce authenticated access:
<authentication mode="Forms"/> <authorization> <deny users="?"/> </authorization>
With these settings, anonymous users will be redirected to the forms authentication login page. For now, just add a basic login page called Login.aspx to the sample application, and place a Login control onto the web page.
You can't directly access default.asp at this point. Instead, because the wildcard mapping first routes the request to ASP.NET, and the ASP.NET configuration denies access to all ...