forms authentication with web.config. Always works on dev, never works on live!

Question

Here is the web.config;

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.web>
    <customErrors mode="Off">
    </customErrors>
    <authentication mode="Forms">
      <forms name=".ASPXAUTH" loginUrl="login.aspx" protection="All" timeout="999999">
        <credentials passwordFormat="MD5">
          <user name="admin" password="21232F297A57A5A743894A0E4A801FC3" />
        </credentials>
      </forms>
    </authentication>
    <authorization>
      <allow users="?" />
      <allow users="*" />
    </authorization>
    <trace enabled="true" localOnly="false" />
  </system.web>
  <location path="administration">
    <system.web>
      <authorization>
        <allow users="admin" />
        <deny users="*" />
      </authorization>
    </system.web>
  </location>
</configuration>

When I run this on my visual studio 2008 dev server it runs fine and works well. When I publish to IIS I always get Http 403 Forbidden Errors when trying to access any page on the site

There is 1 folder within my site that should be login protected called 'administration'

Please can someone point out where I am going wrong! I'm Getting very frustrated :0)

Thanks!

Answer 1

I had a similar problem and my situation may be different than yours, but I solved it by using Fiddler and checking the authentication cookie, to see if it was being passed to the client. My problems were with me running VS 2008 on Vista, which required admin privileges. When I tested on the local server, I was running as the user I was logged in as and that user wasn't admin so I was dealing with two cookies. Plus I set the authentication paths incorrectly. Hope this helps.

Answer 2

The solution was configuration in IIS

Properties > Directory Security > Edit > Authentication Methods > Uncheck 'Integrated Windows Authentication'

After this config everything is now working fine.