I created a controller in my ASP.NET MVC application to handle warming up / initializing the application (i.e. initial loading client-side web service proxies and other actions that could initially take a good chunk of time). To call the WarmUp controller, I use the IIS 7 / 7.5 warm-up module to send a request when the application pool starts.
I donβt want all users to be able to perform WarmUp controller actions, so I decorated the controller with the [Authorize] attribute. I even created a group in my domain that contains users who should be allowed to perform warm-up actions, and added this group as a role for the authorize attribute (ie [Authorize(Roles = @"MyDomain\AppWarmUp")] ).
If I manually call the WarmUp controller using a web browser and provide the correct credentials, everything works as expected. However, when using the IIS warm-up module, even when I provide the correct credentials, I see warnings in the application event log indicating that authentication failed.
If I specify only the type and username for the user context of the warm-up module, I get a ProviderException with the message
The method is supported only if the username parameter matches the username in the current Windows authentication system.
If I specify both the username and password / token, I get an ArgumentException message with the following message:
Invalid token for impersonation - it cannot be duplicated.
If I remove the [Authorize] attribute from my controller, the request for the warm-up module passes without any exceptions. However, I would like to avoid the case where all users can access the WarmUp controller, if possible. Could this be a mistake in the warm-up module or am I missing something?
It may also be interesting to note that I also tried using the autoplay feature of ASP.NET 4.0 applications, but it did not seem to affect what the actual request to the application was doing. Are there any other alternatives to consider?