IIS Express is automatically disabling anonymous authentication for my project, why?
When I switch my ASP.NET MVC project from Cassini web server to IIS Express, this is added to my applicationhost.config file:
<location path="MyProject">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="false" />
</authentication>
</security>
</system.webServer>
</location>
It's causing the site not to load with 401.2 - Unauthorized and I can't fix it on the Web.config level - it will then complain that the section is locked at parent level (HTTP 500.19).
I can fix it by amending the applicationhost.config file but I don't understand why I should need to when no such section is added for a vanilla ASP.NET MVC project. What can be wrong?
I'm using VS 11 beta but also confirmed this weird behavior in 2010 SP1. IIS Express says it's version 7.5.
Answer
It was because for some reason, this was in my csproj file:
<IISExpressAnonymousAuthentication>disabled</IISExpressAnonymousAuthentication>
Setting it to enabled fixes the issue (it can also be done from Visual Studio, select project, F4, set Anonymous Authentication in the properties grid to Enabled).