46

When I switch my ASP.NET MVC project from Cassini web server to IIS Express, this is added to my applicationhost.config file:

<location path="MyProject">
    <system.webServer>
        <security>
            <authentication>
                <anonymousAuthentication enabled="false" />
                <windowsAuthentication enabled="false" />
            </authentication>
        </security>
    </system.webServer>
</location>

It's causing the site not to load with 401.2 - Unauthorized and I can't fix it on the Web.config level - it will then complain that the section is locked at parent level (HTTP 500.19).

I can fix it by amending the applicationhost.config file but I don't understand why I should need to when no such section is added for a vanilla ASP.NET MVC project. What can be wrong?

I'm using VS 11 beta but also confirmed this weird behavior in 2010 SP1. IIS Express says it's version 7.5.

Borek Bernard
  • 50,745
  • 59
  • 165
  • 240
  • Related post - [IIS Express Windows Authentication](https://stackoverflow.com/q/4762538/465053) – RBT Sep 16 '21 at 05:01

3 Answers3

88

It was because for some reason, this was in my csproj file:

<IISExpressAnonymousAuthentication>disabled</IISExpressAnonymousAuthentication>

Setting it to enabled fixes the issue (it can also be done from Visual Studio, select project, F4, set Anonymous Authentication in the properties grid to Enabled).

Borek Bernard
  • 50,745
  • 59
  • 165
  • 240
  • Borek, I've had exactly the same issue. I think this is something to do with VS 11? (in that it wrote those settings in) – James Crowley Apr 10 '12 at 12:11
  • 1
    Thank you, I had the same issue here VS 11 Beta. Changing the setting above fixed the issue for me. Thank you! – Jon Kragh Apr 14 '12 at 13:26
  • 1
    AWESOME @Borek... I was going crazy because of this! :) – Leniel Maccaferri Jun 11 '12 at 17:04
  • Yeah - not sure why this is the default. Thanks for the help! – Danny Douglass Jun 18 '12 at 18:32
  • 1
    Thank you, this is great! I never would have found that. I wonder why this is not in the project properties sheet with the other project options. – Chris Dec 18 '12 at 09:05
  • Confirmed. When I changed this to enabled, my web application allowed anonymous access running through Visual Studio / IIS Express. Questions: Is there a way to change this setting in Visual Studio without having to modify the file in an editor? – Aron Boyette May 05 '15 at 15:58
  • 5
    It's actually `.csproj.user` that is used to generate `applicationhost.config`, and the project's property grid setting is *read* from `.csproj.user` and *written* to both `.csproj.user` *and* `.csproj`. I noticed as I tried to fix the `.csproj` by hand and it still didn't work. – John Mar 29 '18 at 15:18
  • 1
    Confirmed this worked for me, after the setting was automatically disabled after some days' network connectivity instability. – Morten Nørgaard Apr 25 '18 at 10:12
  • 1
    It worked for me with the F4 thing. (editing the csproj alone did not work). – XouDo Mar 12 '19 at 11:59
5

please right click on the project and select use iis express before pressing F4.

Raju S Nair
  • 333
  • 2
  • 5
  • 17
0

Sometimes ago, I faced the same difficulty, but it was little different from what I see over here. In my laptop I have both VS 08 and VS 13, and SQL Server 2008 R2 and 11G XE. For websites connecting to R2 has never been a problem, but when I was trying to build a website using oracle membership with asp.net, I found that pages open but pages under folder with roles are not opening and giving me the access denied error. Though the folder had a proper web.config inside and the user created with the same role, still it was throwing up the same error. Finally I realized I need the authentication mechanism going and so I added the following code in the system.web of web.config:

<authentication mode="Forms">
<forms loginUrl="Login.aspx" protection="All" slidingExpiration="true"
timeout="90" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
<identity impersonate="false"/>
<trace
enabled="false"
requestLimit="10"
pageOutput="false"
traceMode="SortByTime"
localOnly="true"
/>

And it did work, now my authenticated users can loginto designated folders! I hope this might help someone who faced issues similar to me.

user3615318
  • 125
  • 1
  • 1