iis-7iis-7.5Securitywindows-server-2008-r2
We have a web site that should only be available for authorized users. So we deny anonymous access for the site. However we do allow anonymous access to the default page and the login page.
When we installed SP1 the behavior of the server changed. Now if the user is trying to access the root of the site, say http://mysite.com, she is redirected to login page rather than the default page. Is there a hotfix to bring back the previous behavior?
So you can call the file explicitly but when you just use the default address like 127.0.0.1 it doesn't work? The first I would do is make sure the default document is also set to index.php. IIS7 will not do this even if you correctly set document handlers to recognize php(which it looks like you have if your index.php displays correctly).
Open the IIS7 control panel from the Computer Management panel. On the tab under Connections click Sites, the default web site. In the next panel to your right titled Default Web Site Home scroll down till you see Default Document and click on it. If it doesn't have index.php or whatever you want as your default file name then click on Add under Actions and type in the name you want to use. You may need to restart the service I am not sure. This should solve the problem, if you only want to do this for a single site under IIS then you can click on the individual site in the connections panel, then Default Document.
With regard to your second question about how to ensure that configuration changes are persisted to a site's web.config rather than applicationHost.config, this can be controlled via Feature Delegation.
If you navigate to the machine node of IIS Manager you will see an icon named "Feature Delegation":
Launch this IIS "applet" and you will be presented with a list of features that can have their configuration delegated to web.config.
Settings that are marked Read/Write will usually have their settings written to the web.config file. Settings that are marked Read Only will usually have their settings written to applicationHost.config and cannot be overridden in the web.config file.
As it so happens the <windowsAuthentication> configuration can be delegated to the web.config file.
Minor Gotcha:
Not all of the applets surface the full range of settings you can configure. A good example of this as it so happens is the <windowsAuthentication> useAppPoolCredentials attribute. It's no-where to be seen in the Authentication applet, not even under Advanced Settings.
However you can get at this value (and pretty much everything else) via the Configuration Editor. If you navigate to your web site's node in the left hand pane in IIS manager you will see this icon under Management:
If you launch the Configuration Editor you'll be presented with a dropdown list containing a tree of various settings:
If we select the /system.webServer/security/authentication/windowsAuthentication node we are presented with the full spectrum of settings that can be changed. Here we can see the setting we're interested in (useAppPoolCredentials):
You can choose whether to configure the values for the website in web.config or in applicationHost.config from the From: drop down list next to the config section tree drop down:
If a section has not been delegated as Read/Write in the web.config then you'll see the following:
We get an alert saying that this particular feature is locked, all of the settings are greyed out and disabled and there's a padlock indicating that child settings of this feature are also locked out.
Finally, not all settings can be delegated, for example site bindings, application pool, virtual directories.
Best Answer
You're default page for root of site is controlled by the "Default Document", which is a list of files tried one after the other when browsing to the root of a site/folder. Check there to be sure the one you want is at the top, as maybe the SP reset the list or the inheritance of the list.