Authorization in ASP.NET 4

Question

I have a site which is running in ASP.NET 4.0, on Windows 7 Ultimate.
It is using FormsAuthentication, with a nice little logon page, all of which is fine so far as logging in and authenticating.

What is NOT working okay though is directory authorization overriding in sub-directories.

I want both authenticated and non-authenticated users to have access to the inc and images directories, so that the login page can be properly CSS-styled and have the logo and such on the top.

Okay, easy enough, right? I tried allowing anonymous access to these folders both by a <location> tag in the root web.config as so:

<location path="images">
    <system.web>
        <authorization>
            <allow users="*,?" />
        </authorization>
    </system.web>
</location>

as well as individual web.config file in the target directories as so:

<?xml version="1.0"?>
<configuration>
    <system.web>
        <authorization>
            <allow users="*,?" />
        </authorization>
    </system.web>
</configuration>

but for some reason it is not allowing the anonymous user into those directories. I've verified it has to do with authorization by trying to go directly to one of the image's URLs and it fails. But after logging in I can pull it up just fine.

Was something changed in .NET 4.0 with regards to authorization that this would not be working? I've done the same exact thing in 2.0 and 3.5 sites with no problem.

Answer 1

Figured this out. I had moved my web site directory from the default. And although IIS had given the IIS_IUSERS group permission to that directory it for some reason did not give the IUSR user rights to the directory. Added him on manually, and BOOM, it worked!