I'm having a weird problem with my ASP.NET site. My site uses Windows Authentication, and I have set the authentication option on IIS server to deny Anonymous Authentication. However, whenever I upload my project to IIS server, Anonymous Authentication for my site turns on by itself.
This is my applicationHost.config. Notice Anonymous Authentication is set to false here, but every time I publish my site, it is automatically changed to true, and I have to login to the web server and manually change it back.
<location path="[my root folder]">
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true" />
<anonymousAuthentication enabled="false" />
<basicAuthentication enabled="false" realm="" defaultLogonDomain="[my domain]" />
</authentication>
</security>
</system.webServer>
</location>
And this is my web.config
<system.web>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" maxRequestLength="102400" executionTimeout="3600" requestLengthDiskThreshold="102400"/>
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
<customErrors mode="On" defaultRedirect="[my error page]"/>
</system.web>
In the past I used to allow anonymous authentication to 1 particular sub folder, using the following setting
<location path="[my sub folder]">
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="false" />
<anonymousAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
And
<location path="[my sub folder]">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
However I no longer use that setting.
After a few days of poking around, I finally found the reason. Turned out that while I did disable anonymous authentication for my individual site, I forgot to turn off anonymous authentication on the server wide level. In case someone got the same error, this is the steps I used to solve it: