I know this question has been asked several times on SO, but none of those answers have worked in my situation. I have an ASP.NET MVC2 app that uses Forms authentication on my local IIS 7.5(7600.16385) on an AppPool running in integrated mode. Interestingly, this does not happen when using the development web server that comes with VS 2010. My web.config file contains no <authorization /> and no <location /> elements. When I hit the home page, I get everything in the logon view except for the .CSS and .PNG files stored in the ~/Content directory. When I directly request the .CSS file with http://localhost/WebSubscribers/Content/Site.css, I am redirected to the logon page. It seems like a wild-card mapping tries to authorize every request even when I allow that request using <location path="Content" /> as shown below:

<location path="Content" >
 <system.web>
  <authorization>
   <allow users="*"/>
  </authorization>
 </system.web>
</location>

Most of the answers I found on Stack Overflow suggest adding just such a location element to fix the problem, but that does not work for me so I removed it.

I created no wild-card mappings in IIS and, just to make sure, I removed the site and re-created it pointing at the same directory, only to get the same results. Can a wild-card mapping be specified anywhere other than IIS? Can my web.config file have “acquired” some kind of wild-card mapping? I use the Telerik MVC controls, which appear to have made some changes (registered namespaces, httpHandlers, modules) to the web.config file.

Any other suggestions?

UPDATE: When using Chrome to hit the website without being authenticated, the “Resources” developer tool says the following about my Site.css file: “Site.css:-1Resource interpreted as stylesheet but transferred with MIME type text/html.”

Where would such a mime type be set? The site’s node in IIS says “.css | text/css | Inherited”.