The default controller in my ASP.NET MVC project is decorated with the [Authorize] attribute. When I deploy the website on my development machine and access the website, I am redirected to the login page (defined in forms loginUrl section of the Web.Config). Result: everything works as expected.
When I publish the website on our production server (Windows Server 2008, IIS 7, DefaultAppPool) and access the website, the expected address shows in the address bar (/Account/LogOn?ReturnUrl=*my_expected_return_url*
), but the page displays "You do not have permission to view this directory or page." instead of the login page. If I remove the [Authorize] attribute on the default controller/action, the page displays correctly.
My Web.Config file:
sessionState mode="InProc" timeout="30"
authentication mode="Forms"
forms loginUrl="~/Account/LogOn" timeout="2880"