views:

218

answers:

1

The default controller in my ASP.NET MVC project is decorated with the [Authorize] attribute. When I deploy the website on my development machine and access the website, I am redirected to the login page (defined in forms loginUrl section of the Web.Config). Result: everything works as expected.

When I publish the website on our production server (Windows Server 2008, IIS 7, DefaultAppPool) and access the website, the expected address shows in the address bar (/Account/LogOn?ReturnUrl=*my_expected_return_url*), but the page displays "You do not have permission to view this directory or page." instead of the login page. If I remove the [Authorize] attribute on the default controller/action, the page displays correctly.

My Web.Config file:

sessionState mode="InProc" timeout="30"  
     authentication mode="Forms"  
        forms loginUrl="~/Account/LogOn" timeout="2880"
+1  A: 

Do you have a section in your web.config to explicitly allow non-authorised users to access the ~/Account/LogOn page?

<configuration>
  <location path="~/Account/LogOn">
    <system.web>
      <authorization>
        <allow users="*" />
        <allow users="?" />
      </authorization>
    </system.web>
  </location>
</configuration>
Andrew