IIS 7.5 confused between Windows Authentication and Forms Authentication
Solution 1:
For future reference, this looks like a misunderstanding between authentication modes.
IIS 7+ has two modes - one using a built-in HTTP-level set of authentication options -
in <system.webServer>
, and one for ASP.Net, in <system.web>
.
The ASP.Net behaviours don't become available until you run an ASP.Net handler - whether in Classic or Integrated mode - and then still (usually) apply after the IIS-level system.webServer/security
settings.
In the example above, the addition of an ASP.Net page changed the behaviour for (at least) that page, and I'd guess possibly added wildcard handler mappings to handle extensionless URLs through .Net.
There's then also the URL Authorization (IIS, i.e. system.webServer
) vs .Net Authorization (.Net, i.e. system.web
) rules to consider - in general, pick one set per app and stick to it.