Securing Static Resources with Windows Azure Active Directory Authentication

Visual Studio 2013 RC has a very useful feature of creating new ASP.NET application that are configured with Windows Azure Active Directory authentication. You can read more about it here

If you open web.config file of such project that is secured with Windows Azure Active Directory, you will see following section:

Code Snippet
  1. <modules>
  2.       <add name=WSFederationAuthenticationModule type=System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 preCondition=managedHandler />
  3.       <add name=SessionAuthenticationModule type=System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 preCondition=managedHandler />
  4.     </modules>

As you might know, WSFederationAuthenticationModule is the one that is responsible for authenticating incoming requests. However, this module runs only for those requests that go through ASP.NET pipeline. To enable it for all the incoming requests, including those for static files like images, you will have to enable RAMMFAR setting as below:

Code Snippet
  1. <modules runAllManagedModulesForAllRequests=true>

This way you can secure your entire application with WSFederationAuthenticationModule.

Note that RAMMFAR generally has performance implications. It should be turned on only if static resources in a website need to be secured with Windows Azure Active Directory authentication.