We have windows authentication set up on our staging server for our clients to help prevent google from indexing our staging URLs. We recently found out that one of our sites is seemingly ignoring our IIS settings (anonymous authentication is disabled, windows authentication is enabled). We ended up figuring out that removing the setting runAllManagedModulesForAllRequests=”true” on the modules node (which is required for our URL rewriting on the site) fixes the issue and the windows login/password box appears as expected when we browse to the site. If we keep the setting there, the site allows any anonymous user to browse the website.
How can we keep anonymous authentication off while keeping runAllManagedModulesForAllRequests set to true?
EDIT: We realized that we have other sites where this setting is on and windows authentication is working just fine. This only appears to happen in our ASPDotNetStorefront websites. I’m now wondering where I should check to see what is causing this issue – my guess is some sort of custom authentication module, but I don’t have enough knowledge to figure out where to start debugging this.
We found that by setting the managed pipeline mode to Classic, it will obviously ignore the system.webServer node in the web.config, so we now get the windows login prompt as we expect. Some of the rewrites won’t work most likely, but luckily we don’t care about these particular rewrites on our staging server, so we are OK.