Why does IIS Anonymous Authentication turn on by itself after I publish my project to server?

2.7k views Asked by At

I'm having a weird problem with my ASP.NET site. My site uses Windows Authentication, and I have set the authentication option on IIS server to deny Anonymous Authentication. However, whenever I upload my project to IIS server, Anonymous Authentication for my site turns on by itself.

This is my applicationHost.config. Notice Anonymous Authentication is set to false here, but every time I publish my site, it is automatically changed to true, and I have to login to the web server and manually change it back.

<location path="[my root folder]">
    <system.webServer>
        <security>
            <authentication>
                <windowsAuthentication enabled="true" />
                <anonymousAuthentication enabled="false" />
                <basicAuthentication enabled="false" realm="" defaultLogonDomain="[my domain]" />
            </authentication>
        </security>
    </system.webServer>
</location>

And this is my web.config

<system.web>
   <compilation debug="true" targetFramework="4.5" />
   <httpRuntime targetFramework="4.5" maxRequestLength="102400" executionTimeout="3600" requestLengthDiskThreshold="102400"/>
   <authentication mode="Windows" />
   <authorization>
      <deny users="?" />
   </authorization>
   <customErrors mode="On" defaultRedirect="[my error page]"/>
</system.web>

In the past I used to allow anonymous authentication to 1 particular sub folder, using the following setting

<location path="[my sub folder]">
    <system.webServer>
        <security>
            <authentication>
                <windowsAuthentication enabled="false" />
                <anonymousAuthentication enabled="true" />
            </authentication>
        </security>
    </system.webServer>
</location>

And

<location path="[my sub folder]">
<system.web>
  <authorization>
    <allow users="*" />
  </authorization>
</system.web>

However I no longer use that setting.

1

There are 1 answers

2
gzup On BEST ANSWER

After a few days of poking around, I finally found the reason. Turned out that while I did disable anonymous authentication for my individual site, I forgot to turn off anonymous authentication on the server wide level. In case someone got the same error, this is the steps I used to solve it:

  • Open IIS control panel.
  • In the tree view on the left, select your server's name instead of your individual site.
  • In the newly opened panel on the right, double click authentication under IIS
  • Right click on anonymous authentication and select disable.