HTTP Error 404.15 - Not Found ...because the query string is too long

Rob Bowman picture Rob Bowman · Feb 12, 2015 · Viewed 41.8k times · Source

I've checked lots of posts about this error but not been able to fix the problem yet.

I have simple MVC5 website built in VS2013 running on Windows 8 pro. When the site was created the option for individual accounts was selected. I now need to enable windows authentication so that only AD account users can use the website and also authorisation so that I can limit access to certain views / controllers to particular AD groups.

Having selected the web project within VS I have updated the properties window (F4) so that Anonymous Authentication is set to disabled and Windows Authentication is set to Enabled.

The web.config for the project now contains the following sections:

<system.web>
    <authentication mode="Windows" />
    <compilation debug="true" targetFramework="4.5" />
    <httpRuntime targetFramework="4.5" />
    <authorization>
      <deny users="?" />
    </authorization>
  </system.web>
  <system.webServer>
    <modules>
      <remove name="FormsAuthenticationModule" />
    </modules>
  </system.webServer>

I access the site from IIS or F5 I get the error: HTTP Error 404.15 - Not Found The request filtering module is configured to deny a request where the query string is too long. I notice that something has looped to give a ReturnUrl which is a repeating long concatenation within the query string.

Within the IIS\Authentication section, I have set to disabled "Anonymous Authentication, ASP.Net Impersonisation, and Forms Authentication". Within the section IIS.Net Authorization Rules I have set to Deny "Anonymous Users" and Allow "All Users"

Where am I going wrong?

Answer

Chris Pratt picture Chris Pratt · Feb 12, 2015

The only time I've personally run into this issue is when I accidentally added [Authorize] to a child action that was used in the layout. Adding [Authorize] to your sign in action would have the same effect or simply neglecting to add [AllowAnonymous] on your sign in action, when the controller it is in has [Authorize] on it. Long and short, this is being caused by something requiring authorization on the actual sign in page, which then causes you to be redirected to the sign in page, which needs authorization, causing you to be redirected to the sign in page, etc.

tl;dr

  1. Make sure your sign in / login action does not have [Authorize].
  2. Make sure your sign in / login action does have [AllowAnonymous].
  3. Make sure no child actions used in your layout or sign in page have [Authorize] or have [AllowAnonymous] if they are in a controller decorated with [Authorize].