So lets say you’re moving from Windows 2008 R2 IIS 7.5 to something newer and you have Certificate Trust List (CTL) you use for CAC authentication. You’re used to that CTL being passed down to the client to then filter the user certificates on their system to only be the ones available that you want them to be. You migrate to Windows 2019 with IIS 10 and instead of that nice filtered list you instead get ALL certificates on a user’s system instead.
If you disable Allow unlisted file name extensions in IIS using the Request Filtering module you’ve always had to then allow “.” (just a period by itself) in the File Name Extensions to then allow IIS to feed up the default document without it being in the URL. For example http://www.google.com versus http://www.google.com/index.htm which without the . added won’t work. In IIS 10 on a couple of websites we found they would throw 404.7 errors when this was configured even with the . in the allow list.
I noticed this for the first time on a Windows Server 2019 system when I was migrating websites from Windows Server 2008 R2 using Web Deploy 3.6 from Microsoft. I started loading websites to test them and was greeted by IIS Error 404.19 – Denied by filtering rule. If you hit refresh it might then load successfully and do so a couple of times then fail again with another 404.19 error. In IIS this is the website -> Request Filtering -> Rules area for a website.