Hello,
There's an existing ASP.NET web forms site that was previously working with Anonymous Authentication. All pages are accessible to the general public. I have been tasked with creating a new sub-section of this site which would be limited to people authenticated using Windows Authentication, while keeping the rest of the site open to everyone.
What I first did was change the Authentication method in IIS to Windows Authentication (I disabled anonymous authentication along the way) and changed the web config file to this:
<authentication mode="Windows" /><authorization><allow users="?" /><allow users="*" /></authorization><identity impersonate="false" /> [...] <location path="NewSecureFolder"><system.web><authorization><deny users="?" /></authorization></system.web></location>
I have deployed this on the test environment which is on another domain for which I have an account.. What is happening is that when I am opening a page on the site, one of the old pages that are supposed to allow anonymous access, with my Windows Account (on the wrong domain), it's still popping up the Windows credentials dialog which is weird because this section of the site should allow anonymous users. If I enter my credentials for this domain, it works. But because of <allow users="?" /> I would have expected it let me access the page.