I created a controller in my ASP.NET MVC application to handle the application warm-up/initialization (i.e. initial loading of web service client proxies and other actions that can initially take a good chunk of time). To call the WarmUp controller, I am using the IIS 7/7.5 warm-up module to send a request whenever the application pool starts up.
I do not want all users to be able to execute the WarmUp controller actions, so I decorated the controller with an [Authorize] attribute. I even created a group in my domain that contains the users who should be allowed to execute the warm-up actions, and added this group as a role for the authorize attribute (i.e. [Authorize(Roles = @"MyDomain\AppWarmUp")]).
If I manually invoke the WarmUp controller using a web browser and provide proper credentials, everything works as expected. However, when using the IIS warm-up module, even when I provide proper credentials, I am seeing warnings in my Application event log specifying that the authentication failed.
If I specify only a type and user name for the warm-up module's user context, I get a ProviderException with the message
Method is only supported if the user name parameter matches the user name in the current Windows Identity.
If I specify both a username and password/token, I get an ArgumentException with the following message:
Invalid token for impersonation - it cannot be duplicated.
If I remove the [Authorize] attribute from my controller, then the warm-up module's request goes through without any exceptions. However, I would like to avoid the case where all users can access the WarmUp controller, if possible. Could this be a bug in the warm-up module or am I missing something?
It may also be worth noting that I have tried the ASP.NET 4.0 application auto-start functionality as well, but it did not seem to have the same effect as making an actual request to the application does. Are there any other alternatives to consider?
