i have a test virtual environment setup for a windows 2012 R2 IIS web server and a windows DC controller for DNS etc.. i'm working off the windows 2012 R2 IIS web server called testweb.. i have a simple visual studio 2019 web form project running off testweb. it's basically just the initial .net web form project you start with. i created a login.aspx and have configured my web.config file, i have used several tutorials i found online such as
https://www.c-sharpcorner.com/UploadFile/fa9d0d/forms-authentication-in-Asp-Net/
https://www.youtube.com/watch?v=AoRWKBbc6QI&t=207s , a video to show the same
i have set my website and the application to allow forms authentication
also the following security is installed for IIS
my webconfig is the default from the initial project with just these added lines
<authentication mode="Forms">
<forms loginUrl="login.aspx" defaultUrl="Default.aspx">
<credentials passwordFormat="Clear">
<user name="user1" password="password1"/>
<user name="user2" password="password2" />
</credentials>
</forms>
</authentication>
<authorization>
<deny users ="?" />
<allow users = "*" />
</authorization>
If i attempt to hit the published site i get the following:
If i remove the lines :
<authorization>
<deny users ="?" />
<allow users = "*" />
</authorization>
Then i can hit http://testweb/testlogin/ and it brings up Default.aspx perfectly fine !! so i'm scratching my head , well banging my head, trying to figure out what is not set properly or what am i missing ?? i've gone over every tutorial online. even if i only have deny users ? in web.config it still doesn't work.
<authorization>
<deny users ="?" />
</authorization>
Any help appreciated , again just trying to understand how to get forms authentication working in a test env and go from there.. but seems like as soon as add Auth to deny anonymous users with ? it's just denying me all around. my exceptions are that i should be getting my login.aspx page but just isn't working.
Current web.config based on replies/comments:
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.7.2"/>
<httpRuntime targetFramework="4.7.2"/>
<pages>
<namespaces>
<add namespace="System.Web.Optimization"/>
</namespaces>
<controls>
<add assembly="Microsoft.AspNet.Web.Optimization.WebForms" namespace="Microsoft.AspNet.Web.Optimization.WebForms" tagPrefix="webopt"/>
</controls>
</pages>
<authentication mode="Forms">
<forms loginUrl="login.aspx" defaultUrl="Default.aspx">
<credentials passwordFormat="Clear">
<user name="user1" password="password1"/>
<user name="user2" password="password2" />
</credentials>
</forms>
</authentication>
<authorization>
<deny users ="?" />
</authorization>
</system.web>
<location path="login.aspx">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
<runtime>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<dependentAssembly>
<assemblyIdentity name="Antlr3.Runtime" publicKeyToken="eb42632606e9261f"/>
<bindingRedirect oldVersion="0.0.0.0-3.5.0.2" newVersion="3.5.0.2"/>
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed"/>
<bindingRedirect oldVersion="0.0.0.0-12.0.0.0" newVersion="12.0.0.0"/>
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="WebGrease" publicKeyToken="31bf3856ad364e35"/>
<bindingRedirect oldVersion="0.0.0.0-1.6.5135.21930" newVersion="1.6.5135.21930"/>
</dependentAssembly>
</assemblyBinding>
</runtime>
<system.codedom>
<compilers>
<compiler language="c#;cs;csharp" extension=".cs"
type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.CSharpCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=2.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
warningLevel="4" compilerOptions="/langversion:default /nowarn:1659;1699;1701"/>
<compiler language="vb;vbs;visualbasic;vbscript" extension=".vb"
type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.VBCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=2.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
warningLevel="4" compilerOptions="/langversion:default /nowarn:41008 /define:_MYTYPE=\"Web\" /optionInfer+"/>
</compilers>
</system.codedom>
</configuration>
my folder that contains my test website has defaultapp pool set and the defaultapp pool user has read/execute, that was not set before but i set it and it didn't make any differences see below image
UPDATE and FIX*
so i finally found this post https://social.msdn.microsoft.com/Forums/sqlserver/en-US/2920a4e2-775a-4aa7-bfff-4931fa0a4e9a/azure-website-forms-authentication-issue?forum=windowsazurewebsitespreview and if followed it and added a 2nd path statement for just login without the .aspx then it worked!! i was able to hit my login.aspx page fine.
so my final working Web.config looks like this or the snips of code for form auth.
<system.web>
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="login.aspx" defaultUrl="Default.aspx">
<credentials passwordFormat="Clear">
<user name="user1" password="password1"/>
<user name="user2" password="password2"/>
</credentials>
</forms>
</authentication>
<authorization>
<deny users ="?" />
</authorization>
</system.web>
<location path="login.aspx">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
<location path="login">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
