How to allow anonymous access to web-site on IIS 7.5?

Question

tl;dr: Why does

<allow users="?">

work on IIS Express, but not on IIS?

Background

I have a new asp.net web-forms project. When running locally on Windows 7 IIS Express, i can block "all users" from accessing the site by adding a deny * rule to web.config:

web.config

<configuration>
   <system.web>
      <authorization>
         <deny users="*" />
      </authorization>
   </system.web>
</configuration>

this causes me to be denied access:

And so that makes sense.

I can deny access to anonymous users

I the web.config, i can block access to anonymous users, by using the ? marker, rather than the all (*) marker:

      <authorization>
         <deny users="?" />
      </authorization>

And because i am not authenticated, i will again be 401 Unauthorized:

And that makes sense.

Allow anonymous

I can allow anonymous access, by changing the deny in web.config to allow:

<authorization>
  <allow users="?" />
</authorization>

And now I am brought right to the homepage:

and that makes sense.

But doesn't work on IIS

The above works on IIS Express. But when i publish to Windows Server 2012 R2 IIS 7.5, trying to allow anonymous (?) users does not work:

That makes no sense:

works on IIS Express
fails on IIS 7.5

Try allowing everyone

Rather than:

allowing just anonymous users (?)
i can try to allow all users (*)

i change web.config again to allow everyone (*):

<authorization>
  <allow users="*" />
</authorization>

And locally i can still access the site:

but once i publish to IIS 7.5 it still fails:

What's going on?

I'm not doing anything wrong. So what do i need to change?

Initially i created an empty web-site, and started adding things to it. Later, i need to create real web-site (with pages that displayed information, and buttons to click), so i started over with an Empty Web Forms web-site.

My feeling is that Owin broke everything.

Nevertheless, what is going on?

Solution

I found it. There are some settings about a web-site that do not go with the web-site. That is, there are configuration options about a web-site that you cannot configure through web.config, or any other file in the web-site's folder. In particular:

I don't know where IIS stores the use of anonymous authentication. But without anonymous authentication, IIS is unable to realize that an anonymous user is anonymous.

Enabling anonymous authentication:

causes IIS to realize that anonymous users are anonymous.

That explains:

why it worked on IIS Expres
why it didn't work on IIS 7.5
why it still didn't work when both web-sites have the exact same set of configuration files

It doesn't explain why IIS doesn't treat anonymous users as anonymous when anonymous authentication is not enabled; but that's another issue for another day. If you've read down to here, you can copy-paste everything i just said, and get the accept. Otherwise i'll have to wait two days to answer it myself. Better you get the rep.

score 7 · Accepted Answer · edited May 24 '16 at 15:14

You learn something by finding the solution. Congratulation.

Authorization happens after authentication. So on IIS you saw the 401.2 error page before the authorization rule was ever processed. Only after a proper authentication method is set to enabled, then things start to work out.

IIS Express should give you the same 401.2 error page if you disable all its authentication methods. Just a note.

A Microsoft Patterns and Practices article explains more about why you need anonymous authentication enabled in order to allow anonymous users:

ASP.NET authentication is a two-step process. First,

Internet Information Services (IIS) authenticates the user and creates a Windows token to represent the user.

If IIS is configured to use anonymous authentication, a token for the IUSR_MACHINE account is generated and used to represent the anonymous user.

IIS-then passes the token to ASP.NET.

Note Because forms authentication does not rely on IIS authentication, you should configure anonymous access for your application in IIS if you intend to use forms authentication in your ASP.NET application

In IIS, anonymous access is enabled for all applications that use forms authentication.

IIS allows the request because anonymous access is enabled in the IIS metabase. ASP.NET confirms that the authorization element includes a tag.

There are two ways for a user to be authenticated when issuing a request to IIS:

IIS authenticates your identity itself (using Basic, Digest, or Windows authentication)
IIS is configured to allow "anonymous" authentication, and the web-site will handle authentication itself

The confusing part here is that there is a difference between:

anonymous as far as IIS is concerned
anonymous as far is ASP.net Forms authentication is concerned

From IIS's point of view any request that will be authenticated using Forms (or Owin, or any other custom authentication module) is still an anonymous request:

| IIS Authentication | Application Authentication |
|--------------------|----------------------------|
| Basic              |                            |
| Digest             |                            |
| Windows            |                            |
| Anonymous          | Forms                      |
| Anonymous          | Owin                       |
| Anonymous          | BasicAuthModule            |

When i was attempting to allow anonymous users access:

<allow users="?" />

That is a Forms authentication directive. But in order to even reach forms authentication, you must allow anonymous authentication at the IIS level.