In IIS 7 Web site I have web.config authorization configuration to allow only definite roles. But one page must be available for all users. The problem is that if user is not in allowed group DOMAIN\group1 then he gets authentication prompt (User name and password) when opening page public_page.aspx that is allowed for all. Despite of that he is in domain. User presses Cancel on the prompt and then this public page is opened successfully and he is even authenticated in it (<%=User.Identity.Name%> in it shows his Windows identity). Browser is IE8. In IIS6 there was no such issue. Why does browser show this username/password prompt if the user is authenticated successfully? And how can I disable it? Maybe I should somehow reconfigure a web.config? Thank you all for help!
<configuration>
<system.web>
<authentication mode="Windows" />
<authorization>
<allow roles="DOMAIN\group1" />
<deny users="*" />
</authorization>
</system.web>
<location path="public_page.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
</configuration>
I resolved the issue by creating web.config by placing public_page.aspx to subfolder /public and created web.config file there with contents: