We have two websites on our IIS6.
website 1 has an Policy Agent installed, probably correctly (we have done this a few times, so we really think the configuration is OK).
The only protected page app.www.example.com/aaa.aspx redirects the user to a page on site 2 using a GET parameter. Such as app.www.example.com/aaa.aspx?goto=http://www.example.com/mypage.aspx
So when a user hits the aaa.aspx page he is redirected to the login page. By then the goto parameter that was created by deafult.aspx.aspx as goto=http://www.example.com/mypage.aspx has now changed to app.www.example.com/mypage.aspx, which doesn't exist of course, the correct URL is www.example.com/mypage.aspx.
When the user logs in he is redirected to app.www.example.com/aaa.aspx and the aaa.aspx picks up the goto parameter and sends a redirect respond based on the goto parameter, which is the wrong URL. Even if aaa.aspx has a hardcoded to www.cnn.com it gets rewritten to app.www.example.com/mypage.aspx.
Any one knows if this is a Policy Agent issue or should we look elsewhere? Perhaps an IIS6 issue? And what can be done about it?