Why is ASP.NET MVC MapRoute popping up a Windows authentication dialog box?

Question

This one has me stumped, and I think it might be a bug in Microsoft's MVC implementation. I am building a MVC website using VS2008 SP1. In an attempt to lockdown my website I edited my controller to look like this:

1    public class IdeaController : Controller
2    {
3    [Authorize(Users = "whozmom")] 
4    public ActionResult Index(string zapp, int? page)

I am using ASP.NET membership and forms authentication. When I publish my code to my host it pops up a Windows authentication dialog box. I've been racking my brains trying to figure out what edit I might have done to cause this. I've pretty much completely rewrote my application trying to figure this out and have narrowed it down to one change in my Global.asax.cs file. First let me show you (the relevant portion of) the bugged version:

1    routes.MapRoute(
2         "Ideas", 
3         "{zapp}/{page}/", 
4         new { controller = "Idea", action = "Index", zapp = "Office", page = "" }
5    );
6    
7    routes.MapRoute(
8         "Default",                                              // Route name
9         "{controller}/{action}/{id}",                           // URL with parameters
10        new { controller = "Idea", action = "Index", id = "" }  // Parameter defaults
11   );

When I run my code with this route locally my browser just comes up blank...the Logon page never shows. If I run my application on my host, it pops up a Windows authentication dialog box. If I change my routing to instead be:

1    routes.MapRoute(
2         "Ideas", 
3         "Ideas/{zapp}/{page}/", 
4         new { controller = "Idea", action = "Index", zapp = "Office", page = "" }
5    );
6    
7    routes.MapRoute(
8         "Default",                                              // Route name
9         "{controller}/{action}/{id}",                           // URL with parameters
10        new { controller = "Idea", action = "Index", id = "" }  // Parameter defaults
11   );

Everything works fine. Notice the edit on line #3, adding "Ideas/" in front of my URL string. Can someone explain this to me? I can also fix the problem by removing the Authorize line from my controller(line #3 above), but then of course I lose my security.

UPDATE: Here is my full membership section:

<membership>
    <providers>
            <clear />
            <add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider,
System.Web, 
Version=2.0.0.0, 
Culture=neutral, 
PublicKeyToken=b03f5f7f11d50a3a" 
connectionStringName="ApplicationServices" 
enablePasswordRetrieval="false" 
enablePasswordReset="true" 
requiresQuestionAndAnswer="false" 
requiresUniqueEmail="false" 
passwordFormat="Hashed" 
maxInvalidPasswordAttempts="5" 
minRequiredPasswordLength="6" 
minRequiredNonalphanumericCharacters="0" 
passwordAttemptWindow="10" 
passwordStrengthRegularExpression="" 
applicationName="/" />
          </providers>
        </membership>

Answer 1

What do you have in the membership section of your web.config ?