I don't know if this is an application configuration issue or an IIS issue. Please forgive me if this should be going on ServerFault.
I have an ASP.NET MVC application (I think the MVC is irrelevant, but anyway). I am getting differing behavior, authentication-wise, on my Windows 7 development machine versus on my Server 2008 machine. Basically, the server behavior is as desired, but the Windows 7 behavior seems to ignore directives in my web.config. I have forms authentication set and anonymous users denied in the web.config. Then, in order for the logon page to be able to display graphics, CSS, etc. I have a tag set to allow all users into my /Content folder, which contains said graphics, CSS, etc. The idea is that forms authentication doesn't interfere with the static content.
What is happening is when the user is forwarded to the login page as the normal part of forms auth, on the server the page is normal, but on the Windows 7 machine, no graphics or CSS are displayed. When I checked direct URLs to those graphics, it turns out each request for a graphic is also being redirected by forms authentication.
Here's the pertinent part of my web.config:
<configuration>
<location path="Content">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" enableCrossAppRedirects="true" defaultUrl="/"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
Can anyone think why, on the server machine, this works as desired? The unauthenticated request is forwarded to /Account/LogOn, yet the page graphics/CSS are still served. Yet, on the development machine (Windows 7), while the unauthenticated request is redirected as expected, so are the graphics in /Content?