Protect file types (.xml, .doc, .html, .pdf etc.) using ASP.NET authentication: Microsoft ASP.NET

Because requests to .xml, .doc, .html, .pdf etc handled by the IIS instead of asp.net ISAPI module first it is required to configure specified extensions to be handled by the asp.net ISAPI module

How to configure custom file extension to be handled by the asp.net ISAPI module

In IIS (run ‘inetmgr’)

1. Locate the website (or virtual directory, which configured as a web application) you want to configure custom file extensions to be secured.
2. Right click and find the ‘Virtual Directory’ tab under properties
3. In ‘Virtual Directory’ tab click configuration
4. Add extension (ex: .xml) and browse aspnet_isapi.dll from the usual location (C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727). If you can’t find the exact directory perform a search and locate it.
5. Uncheck ‘check that file exist’ checkbox just in case of request to a non existing file. then press ok
6. If it is local it is recommend to do a IIS reset (run ‘iisreset’) if not if it is the production server or UAT, recycle the application pool

For securing asp web applications: please review my previous post - ASP.NET Authentication