Archive for April 19th, 2012

MVC3/Webforms app using forms authentication – CSS & Images folder not accessible before login

This is very usually embarrassingly simple. You have a site which is locked down using forms authentication, but your login page needs the css and images- so you add settings to your web config telling the app only authenticated users can come in, but no one else can- then you add a couple of exceptions for your specific folders- like so;

<configuration>
	<system.web>
		<authentication mode="Forms" >
			<forms loginUrl="login.aspx" name=".ASPNETAUTH" protection="None" path="/" timeout="20" >
			</forms>
		</authentication>
<!-- This section denies access to all files in this application except for those that you have not explicitly specified by using another setting. -->
		<authorization>
			<deny users="?" /> 
		</authorization>
	</system.web>
<!-- This section gives the unauthenticated user access to the Default1.aspx page only. It is located in the same folder as this configuration file. -->
		<location path="default1.aspx">
		<system.web>
		<authorization>
			<allow users ="*" />
		</authorization>
		</system.web>
		</location>
<!-- This section gives the unauthenticated user access to all of the files that are stored in the Subdir1 folder.  -->
		<location path="subdir1">
		<system.web>
		<authorization>
			<allow users ="*" />
		</authorization>
		</system.web>
		</location>
</configuration>

This is documented on the MSDN on this article.

I just deployed an existing site to a new dev server and found everything ran fine, except the css and images would not load on the login page, despite me having the exception in the web.config.

After lots of Googling (most articles simply explain that you need the above exception’s in your config!) I found this little gem which explained I needed to;

  1. Open the IIS7.5 control panel
  2. Select the application
  3. double-click “Authentication”
  4. select “Anonymous Authentication”, then Edit
  5. change it to use the Application Pool Identity. Make sure that user has permissions on the folder that contains the site

No Comments