I am creating a brand new projet with Visual Studio 2013, I choose Asp.Net MVC and the framework 4.5.1 The project is created, then, I do nothing else than F5 to start the default web page. Unfortunately, it produces a redirect to the login page which is redirecting into the login page too. Here is a short version of the url I have in the browser:
http://localhost:5285/Account/Login?ReturnUrl=%2FAccount%2FLogin%3FReturnUrl%3D%252FAccount%252FLogin%253FReturnUrl%253D%25252FAccount%25252FLogin%25253FReturnUrl%25253D%2525252FAccount%2525252FLogin%2525253FReturnUrl%2525253D%252525252FAccount%252525252FLogin%252525253FReturnUrl%252525253D%25252525252FAccount%25252525252FLogin%25252525253FReturnUrl%25252525253D%2525252525252FAccount%2525252525252FLogin%2525252525253FReturnUrl%2525252525253D%252525252525
I do not have any error in the Event Viewer. But in the screen I see :
"HTTP Error 404.15 - Not Found The request filtering module is
configured to deny a request where the query string is too long."
The website is running with the default setting in IIS Express. How can I fix this problem? I am guessing something is wrong with my Visual Studio 2013?
Edit
It works if I create a brand new website and I host it in IIS. But if I create a new website (without modifying anything) and just hit play (which start IIS Express by default), it doesn't.
Edit 2
I have deleted every websites in the Documents\IISExpress\config\applicationhost.config. I have recompiled everything, and it created this entry :
<siteDefaults>
<logFile logFormat="W3C" directory="%IIS_USER_HOME%\Logs" />
<traceFailedRequestsLogging directory="%IIS_USER_HOME%\TraceLogFiles" enabled="true" maxLogFileSizeKB="1024" />
</siteDefaults>
<applicationDefaults applicationPool="Clr4IntegratedAppPool" />
<virtualDirectoryDefaults allowSubDirConfig="true" />
</sites>
I am still getting the error with IIS Express, not with IIS.
Highlight the project in Visual Studio
Open the 'Properties' panel on the right (or press F4)
Set 'Windows Authentication' to 'Disabled'
Set 'Anonymous Authentication' to 'Enabled'
You are missing [AllowAnonymous] attribute on login action.
[AllowAnonymous]
public ActionResult Login(string returnUrl)
{
// code....
}
2nd possibility, specific to IIS Express only: is that, if you created same default WebApplication1 project multiple times, playing with different authentication settings, IIS Express stored additional authentication settings in it's configuration file. Something like:
<location path="WebApplication1">
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true" />
<anonymousAuthentication enabled="false" />
</authentication>
</security>
</system.webServer>
</location>
</configuration>
Configurations are in user's Documents folder Documents\IISExpress\config\, and you should look for:
applicationhost.config
Then just delete xml node <location path="WebApplication1"> mentioned above.
Update for VS 2015+
If you're using Visual Studio 2015 or higher, check this path for the config file:
$(solutionDir)\.vs\config\applicationhost.config
Each solution will have its own config file.
This issue is because of the authentication mode selected(by default) by the MVC 5 Template, which triggers the ReturnUrl Style of redirection that might lead to an infinite loop if not configured correctly.
To disable OWIN startup discovery,add this key to your webconfig file.
<add key="owin:AutomaticAppStartup" value="false"/>
I had to remove (Source Link):
<authorization>
<deny users="?" />
</authorization>
I know I may be late, and this is not directly for the OP's question. But if anyone in the future come here, one more check about AllowAnonymous and Authorize attribute is that, you have to check all child actions too.
For example, I had my Layout (which the Login page also use) that call 2 child actions for breadcrumbs and sidebar, and they did not have AllowAnonymous attribute (the Controller had Authorize attribute).
Hope this help.
In IIS, Select you website and check for Authentication, If you are using Forms Authentication then -
Set 'Windows Authentication' to 'Disabled' ,
Set 'Anonymous Authentication' to 'Enabled'
Set 'Forms Authentication' to 'Enabled'
ASP.Net MVC 5 template adds Microsoft.Owin and related libraries to the project. Since Owin infrastructure doesn't require Forms Authentication, the template also introduces the following key in web.config.
<system.webServer>
<modules>
<remove name="FormsAuthentication" />
</modules>
</system.webServer>
Presence of this key could be a reason for undesirable looping back to Login page. Commenting it may help fix the problem for some people.
I faced the same problem because my MVC project was configured for .Net 4.5 but I was using .Net 4.0 as my application pool in IIS. Switched it to .Net 4.5 application pool and the problem was fixed. I hope this helps some one else!
TL:DR? Do not call a protected web API (any web API which requires Authorization) from an authorization page such as ~/Account/Login (which, by itself, does NOT do this.). If you do you will enter into an infinite redirect loop on the server-side.
Cause
I found that the culprit was, indirectly, AccountController::Authorize and the fact that AccountController is decorated with [Authorize].
The root cause was Sammy() being called from HomeViewModel() (Line 6 of home.viewmodel.js), which was accessing a "protected web API". This was being done for /Account/Login, which resulted in /Account/Login redirecting to itself.
Confirmation
You can confirm this is the cause of your problem through several methods:
Decorate AccountController::Authorize with [AllowAnonymous]
Comment out the Sammy() calls made during viewmodel construction.
Solution
The solution was to only emit the app bundle (a.k.a "~/bundles/app") for views which already required authorization. To my knowledge /Account/ views are classic MVC-based views, and are not part of the app datamodel/viewmodel, but I had mistakenly moved the bundle Scripts.Render(#"~/bundles/app") call into _Layout.cshtml (causing protected web API calls to be made for all MVC views, including /Account/.)
in my case: in my _layout.cshtml, i use Html.Action to call Action from Authorize Controller: ex: Html.Action("Count", "Product") -> loop error
fix: decorate by [AllowAnonymous] attribute in that Action (or remove these Html helper from _layout)
I just dealt with this issue for hours on end.
For me, it was in the Startup.Auth.cs file.
This code, when commented out, stopped the redirect loop.
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login")
});
Please be aware that this is potentially harmful advice, it's rarely a good idea to modify an applicationhost config file directly, there are usually tools that will do this for you, safely (for example, from within Visual Studio.) Before proceeding, be sure to create a backup copy of this file in the event your IIS Express becomes trashed.
To fix this problem, I took the default IIS configuration file located here :
C:\Windows\System32\inetsrv\config\applicationHost.config
To my document
%userprofile%\documents\iisexpress\config\applicationhost.config
And it worked.
This was because I had some Windows Authentification set and not the anonymous account.
Make sure you have no actions in pipeline that have authorize attribute.
In my case, my layout had navigation menu controller which was missing allowAnonymous attribute.
I solved the same problem thanks to this accepted answer: ASP.NET Login Redirect Loop when user not in role.
It is possible that the controller containing Login action is decorated with an AuthorizeAttribute (even a custom one) while the login action is not decorated with AllowAnonymous attribute. Removing AuthorizeAttribute from the controller and adding AllowAnonymous to login action may be a possible solution.
These answers are more or less pieces of the same puzzle; I'll try to put everything in one place.
Problem that OP described hit my application the moment I implemented the OWIN pipeline and AspNET Identity.
So let's see how to fix it...
OWIN Startup
I guess you need it, because if you don't, then you don't need authentication, and I guess you do.
Except it you're using some old-style authentication, and I guess you don't.
So, don't remove either the OWIN startup attribute...
[assembly: OwinStartupAttribute(typeof(YourApp.Probably_App_Start.SomethingLikeAuthConfig))]
...or the configuration line...
<add key="owin:AppStartup" value="YourApp.Probably_App_Start.SomethingLikeAuthConfig" />
Access restriction on controllers
Now we cleared this up, you need the authentication. This means either each of your controller needs the [Authorize] attribute, or you can do the same to all controllers in one place by registering the thing globally (e.g. in RegisterGlobalFilters(), add line filter.Add(new AuthorizeAttribute())).
In the former case (when securing each controller separately) skip this part, just go to the next one.
In the latter case all of your controllers will be secured against unauthorized acces, so you need an entry point for that authorization - unprotected Login() action.
Just add...
[AllowAnonymous]
...and you should be good.
OWIN cookie configuration
When your user logs in, his browser stores encrypted (hopefully!) cookie in order to simplify things for the system. So, you need cookie - don't delete the line that says UseCookieAuthentication.
What you really have to do is turn off the IIS integrated authentication mechanism for your web application. This means switching off Windows Authentication (Disabled) and enable letting any user in, at least as long as IIS Express is now concerned, by setting Anonymous Authentication (Enabled).
When you start your web site, this will in turn copy these settings into IIS Express configuration (applicationhost.config), and there you should see these two lines:
<windowsAuthentication enabled="false" />
<anonymousAuthentication enabled="true" />
You might have the authorization config in your web.config that says deny users="?". It means the authorization subsystem is instructed to prevent anonymous users from entering.
With OWIN, this still works as designed. You either have to remove this, or make your anonymous user able to access the Login page by using something like...
<location path="Account/Login">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
HTH
I had similar issues where it was in an infinite loop when calling back to the website locally. It turns out that when debugging locally it was redirecting the ports. I updated port numbers in the project properties screen but left the Azure definition the same in the cloud project and everything started to work as expected.
I had the same issue with my Asp.Net MVC 4 project. I resolved it by going to Startup.cs and commenting out the line for ConfigureAuth(app)
public void Configuration(IAppBuilder app)
{
//ConfigureAuth(app);
}
I also made sure that I had Windows Authentication enabled in IIS for my project, and all other authentication options disabled.
For me, this turned out to be caused by my LoginViewModel containing references to translation resources files, apparently being protected by authentication. I removed those references, and the problem was solved.
For me, removing the following block fixed it:
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
Assume
<authentication mode="None" />
in my case it was a very wired problem , i decorated the home controller by non existent role. so it causes a redirection loop.
Go to to your applicationhost.config file and set anonymousauthentication = "true"
<authentication>
<anonymousAuthentication enabled="true" userName="" />
<windowsAuthentication enabled="true">
<providers>
<add value="Negotiate" />
<add value="NTLM" />
</providers>
</windowsAuthentication>
</authentication>
Related
I've spent the entire day trying to get this to work, though it seems as if it's meant to be an out-of-the-box functionality for IIS7. I just can't figure what I'm goin wrong.
I want to have a web site (say, the default web site, that's fine) configured for forms authentication. By which I mean to say that regardless how many web applications are configured under this web site, any time an anonymous user tries to access a restricted resource they are sent to the same login page, which gathers their credentials and sends them back to the resource they wanted in the first place.
So I've set the authentication on the web site as follows - basically all off, except: anonymous (which I assume needs to be on so that the unsecured stuff is visible without logging in), and forms authentication. I have forms authentication configured to use a login page within a configured application, so: [default web site\auth\login.aspx]
I have an unsecured application configured, which of course is fine.
I have another application which has some unsecured content at its root ([default web site\test\readme.html]), and another directory where I've added a config file that has the <deny users="?"/> (so, [default web site\test\secure\readme.html]) in a config file. Of course my intention is that an anonymous users try to get resources in this directory they will be redirected to the login page for the whole site.
To my surprise, what happens is this - if I turn off anonymous access for the application I want to secure, rather than sending me to the login page configured at the web site level, I just see an unauthorized message in the browser. If I turn anon on for the secured app then no challenge is ever done and everyone can just see all resources without logging in.
Am I missing something here? Shouldn't web applications configured within a web site all act the same way, and use the sites' authentication scheme? Am I wrong about this being a feature or am I just doing something wrong to make it happen?
I also (after goofing with it for a while) set the login page under the 'Error pages' section of the main web site to handle 401 status, without any luck.
I don't think the asp.net handler is invoked for static files unless you configure it to be. Adding a handlers section for html files in the root config will allow your app using forms authentication to handle html files as well.
<system.web>
<compilation>
<buildProviders>
<add extension=".html" type="System.Web.Compilation.PageBuildProvider" />
</buildProviders>
</compilation>
</system.web>
<system.webServer>
<handlers>
<add name="html" verb="GET, HEAD, POST, DEBUG" path="*.html" type="System.Web.UI.PageHandlerFactory" />
</handlers>
</system.webServer>
I am using HttpContext.Current.User.Identity.Name to get the user name when the web application is in use. During development I was using my local iis, with integrated windows authentication enabled and anonymous access enabled and disabled, and I was able to get the username.
Now, when I publish the web application, it comes back blank. The setup on the published server is the same, and I have tried using Page.User.Identity.Name, which also returned blank.
Does anyone know why this is and how to fix it?
You probably had Anonymous Authentication on as well as Windows Authentication. Turn off Anonymous off.
So,
<system.web>
<authentication mode="Windows" />
</system.web>
In IIS config for the app,
look in Authentication tab
Set **Anonymous Authentication** to **Disabled** and
Set **Windows Authentication** to **Enabled**
This should work and the Identity.UserName should now show up properly.
HttpContext.Current.Request.LogonUserIdentity.Name always work for me in VS 2012 environment and IIS 7
To solve the problem, you have to enable the Windows Authentication feature. Follow the below steps:
-Click Start, and then click Control Panel. Open the Programs group.
-Under Programs and -Features, click Turn Windows Features on or off.
-Expand the item labeled Internet Information Services.
-Expand the item labeled World Wide Web Services.
-Expand the item Security ->
Make sure to select Windows Authentication
Also you need to disable Anonymous Authentication from the IIS as follows:
-Click on your application in IIS
-Double click Authentication under IIS group
-Click on Anonymous Authentication
-Click on Disable on the right side under Actions.
Hope this helps
When working with WIF you should use Thread.CurrentPrincipal.Identity.Name instead of User.Identity.Name.
Read more here: http://msdn.microsoft.com/en-us/magazine/ff872350.aspx to learn more about Windows Identity Foundation
Similar question: User.Identity.Name is null after authenticate via WIF
set <authentication mode="Forms"> in web.config file & Your Problem Will solve.
Test your web-site by using below code
if (Page.User.Identity.Name != "" )
{
Label1.Text = "Hello";
}
else
{
Response.Redirect("login.aspx?url=Upload.aspx");
}
This will not solve the original post, but want to put this here anyways in case others stumble across this when searching for why user.identity is returning nothing...
In my case User.Identity started returning nothing after updating a users ad username (specifically the pre-windows 2000 username).
The LSA cache on IIS was the issue. Even after restarting the IIS server while troubleshooting the issue persisted. It was not until adding the registry setting outlined here the the issue was fixed:
https://support.microsoft.com/en-us/help/946358/the-lsalookupsids-function-may-return-the-old-user-name-instead-of-the
For a blank return, my solution ended up being the web.config. I'm using Visual Studio 2010, and the default web.config did not work. I replaced it with a nearly empty web.config and then success! Perhaps the default vs2010 web.config called too many references or configured the IIS incorrectly for the use of User.Identity.Name. My system is Windows7.
Default asp.net web site web.config from vs2010 was about 100-115 lines long. As you can see below the nearly empty web.config is about 20 lines long.
the web.config that i used:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<authentication mode="Windows" />
<authorization>
<allow roles="Doman Name\Group Name" users="" />
<deny users="*" />
</authorization>
</system.web>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
<security>
<authorization>
<add accessType="Allow" users="" roles="Doman Name\Group Name" />
</authorization>
</security>
</system.webServer>
</configuration>
In IIS: click on your Site.
In Home Page: Authentication.
In Action menu: Open Feature.
Disable Anonymous Authentication.
Restart Site.
steps 1,2,3
step 4
We have an ASP.NET application on ASP.NET 4.0 using MVC 3 which uses Windows authentication.
When run from Visual Studio 2010 everything works as expected but when rolled out to IIS7 the Windows logged in user never gets populated (checking User.Identity.Name). No dialog prompt for user credentials comes up either.
The web.config setting:
<authentication mode="Windows" />
In IIS I can see that Windows authentication is enabled, as is Anonymous (disabling Anonymous results in a 403 Forbidden and no content being shown).
I've tried both enabling and disabling "Kernel-mode authentication" (useKernelMode="true"), but this doesn't seem to make any difference. Though I do remember that we had to disable this setting on another site on a different server to get the authentication to work properly (might point to a potential issue further down the stack?).
In case it's useful, from IIS's applicationHost.config:
<security>
<authentication>
<anonymousAuthentication enabled="true" />
<digestAuthentication enabled="false" />
<basicAuthentication enabled="false" />
<windowsAuthentication enabled="true" useKernelMode="false">
<providers>
<clear />
<add value="NTLM" />
</providers>
</windowsAuthentication>
</authentication>
</security>
Any ideas what the issue could be?
Thanks in advance for any suggestions.
Update 1
I managed to find another IIS7 server to test on and I found if I disabled Anonymous access everything worked as desired. However I still have issues on the original IIS7 server even when I disable Anonymous access as well (I'm keeping Anonymous disabled now). So there must be some issue further down the stack I guess. Any ideas? Something I need to fix as it's going to keep popping up and biting us I imagine.
Update 2
If I enable Digest Authentication on the problem IIS7 box then I am challenged with the login prompt dialog and everything works as expected if I provide suitable credentials. But being an internal web app with users already logged in to the domain we don't really want to challenge them this way. Credentials should be passed through transparently as it works on the second IIS7 box.
Update 3
Some progress... I've found that if the web app is in the root and not a sub site then directly editing the applicationHost.config file for IIS7 to give the following authentication settings allows the site to work as expected:
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true">
<providers>
<clear />
<add value="NTLM" />
</providers>
</windowsAuthentication>
<digestAuthentication enabled="false" />
</authentication>
Using IIS7's UI to configure the authentication doesn't give quite the right results. authentication items are either missing after wards (as I guess IIS7 assumes they are being inherited) or they have the wrong settings (windowsAuthentication seems to need the providers configuration above present to work correctly).
Unfortunatly the web application in question is actually a sub application as there's an internal version (using windows authentication > www.site.com/internal) and an external version (using forms authentication > www.site.com/external). I still can't get the authentication to work as a sub application yet. I just get a "Error Code: 403 Forbidden".
In this case it was a Microsoft ISA Server issue. Seems the request was being routed internally through ISA for the Windows Authenticated site, once ISA was removed the problem disappeared.
I don't know a lot about ISA and how it routes requests but I assume it must have been stripping out some important information from the request because of some rule someone will have configured.
As a side note in case it helps diagnose similar setups: I was told by the network admin staff that internal traffic was not routed through ISA, but pinging the website internally showed that ISA was actually in play.
You mentioned that disabling anonymous access worked on another server, but on your main server you are experiencing 403 errors. Therefore, I would check the file based permissions on the folder where your site is running from. In the past I have needed to grant the \Network Serivce account full control to the site folder and all subfolders or I would experience 403 errors. Check the file permissions on the server that is working and see if there are differences with the server that is not working.
Also, if this is not the issue, I would recommend comparing all of the other IIS settings between the two servers, since you know it works on one and not the other. Find the difference.
I have an ASP.NET MVC 3 Beta application running on IIS. In my web.config I defined following section responsible for forms authentication:
<authentication mode="Forms">
<forms
loginUrl="~/Account/LogOn"
name=".VNK"
protection="All"
timeout="43200"
cookieless="UseCookies" />
</authentication>
The defined login address is ~/Account/LogOn.
When I try to get the login url using:
FormsAuthentication.Initialize();
string loginUrl = FormsAuthentication.LoginUrl;
I receive: /VNK/site/Account/Login
Why do I get a different address from the one defined in web.config?
UPDATE: The "/VNK/site/" prefix is not a problem here. The problem is that LoginUrl property of FormsAuthentication class does not reflect the value from web.config. It means that if I change the value of loginUrl attribute in web.config from "~/Account/LogOn" to e.g. "~/foobar", FormsAuthentication.LoginUrl still has value of "/VNK/site/Account/Login". Why ?
I think there is a bug in ASP.NET MVC 3 Beta. This problem does not appear in previous releases of ASP.NET MVC.
If anyone wants to replay this error, he should follow this:
1.Download the mvc framevork.
2.Create new ASP.NET MVC 3 Web Application
3.Applay Authorize attribute on About action in HomeController
[Authorize]
public ActionResult About()
{
return View();
}
4.Start application and invoke About action by clicking on About tab. You will get server error, because application is trying to redirect You to such URL:
http://localhost:[port_num]/Account/Login?ReturnUrl=%2fHome%2fAbout
There is obviously no Login view. There is LogOn view. Url to LogOn action is defined in untouched web.config:
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
But application does not reflect that. Have anyone any clue what's going on ?
UPDATE:
I was right, there is a bug in MVC 3 Beta. From known issues:
"There’s a known issue that causes Forms Authentication to always redirect unauthenticated users to /Account/Login, ignoring the forms authentication setting used in Web.config. The workaround is to add the following app setting."
<add key="autoFormsAuthentication" value="false" />
UPDATE 2:
Alexander Prokofyev noticed, that ASP.NET 3 RTM looks for another setting. So you need this line instead:
<add key="loginUrl" value="~/LogOn" />
If you have access to IIS, then append a new application and enable ASP.NET "integrated pipelining" in application pool section by double clicking it.
If your hosting provider does not grant you access to IIS,
then login to the control panel.
Go to websites, under the management tab- enable ASP.NET integrated
pipe lining.
Set your application as a virtual directory
(It worked for me)
So the simple solution was to remove WebMatrix.*.dll from Bin folder in web project. I have done this for my asp.net project since it was redirecting my login to mvc style url.
Updated answer for MVC 4, heavily borrowed from this page and Request redirect to /Account/Login?ReturnUrl=%2f since MVC 3 install on server
<appSettings>
...
<add key="PreserveLoginUrl" value="true" />
</appSettings>
...
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="43200" /> <!--43,200 in minutes - 30 days-->
</authentication>
Put the following in appSettings:
<add key="loginUrl" value="~/Account/LogOn" />
You could empty loginUrl from Form Authentication configuration.
I removed the following from my web.config
<remove name="FormsAuthentication" />
and then everything seemed to work. This text had been added by default when I created my project.
The tilde (~) means "the root of my web site" so you don't have to keep using .. or \ to step up and down the web site structure. However, from an IIS perspective you web application may have an additional layer of directory structure which is being reflected when you request the LoginUrl programmatically. I'm unsure as to why you want to retrieve the LoginUrl, the normal state of affairs would have IIS redirect the user to the LoginUrl automatically any time they try to access a page that they are not authenticated for.
I think the server has trouble deciding what ~ means in this case, try giving a more direct url to the login page, such as /Account/LogOn.
Maybe you'll find something useful here http://msdn.microsoft.com/en-us/library/xdt4thhy.aspx
I'm working on a website built with pure HTML and CSS, and I need a way to restrict access to pages located within particular directories within the site. The solution I came up with was, of course, ASP.NET Forms Authorization. I created the default Visual Studio log in form and set up the users, roles, and access restrictions with Visual Studio's wizard. The problem is, I can't log in to the website with the credentials that I have set.
I'm using IIS 7.
I'd guess (since I don't have IIS7 handy ATM) that you'd need to turn off Anonomyous Auth, and enable Forms Auth in the IIS7 sections.
At what point did you insert your login/password? Did you have a look at the tables that where created? Althought your password must be encrypted, maybe it's worth just checking if your user was actually created.
At what point did you insert your login/password? Did you have a look at the tables that where created? Althought your password must be encrypted, maybe it's worth just checking if your user was actually created.
Forms Authentication does not require any form of user database.
Steve, can you please paste in your forms authentication web.config section, also any relevant code to the ASP.NET Login control you were using.
There is not enough information to troubleshoot here yet :)
The web.config section is pretty useless as far as I can tell:
<authentication mode="Forms" />
I looked in IIS 7, and in the Authentication section it says: Anonymous Authentication = Enabled, ASP.NET Impersonation = Disabled, Basic Authentication = Disabled, Forms Authentication = Disabled.
Also, I have made no changes to the code other than dragging a Login object onto the designer and changing the page it points at to index.html.
Currently, the log in fails by displaying the log in failed text.
EDIT: Earlier when I would try to navigate directly to a page that is restricted, I would receive a blue page saying that I had insufficient permissions. Now I can see the pages that are restricted without logging in even though I have anon access denied.
Steve,
I don't think the issue is with your IIS settings. Because forms authentication does not rely on IIS authentication, you should configure anonymous access for your application in IIS if you intend to use forms authentication in your ASP.NET application.
Try this in your web.config:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
<authentication mode="Forms" >
<forms loginUrl="~/login.aspx" defaultUrl="~/">
<credentials passwordFormat="Clear">
<user name="YourUsername" password="superSecret" />
</credentials>
</forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
<system.web>
</configuration>
There are better ways to implement forms authentication than hardcoding a username and password into your web.config, but this should work for getting you started.