I'm creating an Intranet site in ASP.NET MVC 3 Beta and would like to use Windows Authentication exclusively. In addition, I'd like to use the Visual Studio Development Server in VS2010.

I modified the default web.config file to remove all references to forms authentication and switched to this:

<authentication mode="Windows"  />
<authorization>
  <deny users="?" />
</authorization>

However, when I launch my site and get the default page, I get this reply:

HTTP/1.1 302 Found
Server: ASP.NET Development Server/10.0.0.0
Date: Tue, 02 Nov 2010 14:05:19 GMT
X-AspNet-Version: 4.0.30319
Location: /Account/Login?ReturnUrl=%2f
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 145
Connection: Close

Which leads to this message in my browser:

Server Error in '/' Application.

The resource cannot be found.

Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Please review the following URL and make sure that it is spelled correctly.

Requested URL: /Account/Login

Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.1 Version:4.0.30319.1

If I select the "NTLM Authentication" in the project properties under "Use Visual Studio Development Server" then I correctly get this reply on connect:

HTTP/1.1 401 Unauthorized Server
ASP.NET Development Server/10.0.0.0
Date: Tue, 02 Nov 2010 14:07:37 GMT
Content-Length: 1211 
WWW-Authenticate: NTLM

But then when I authenticate, I get the 302

I think this is just a matter of clearing out some default value but am not sure ("/Account/Login" doesn't appear anywhere in my web.config files). If I remove the "deny" part then things work fine except that I don't get an authenticated Principal and effectively remain anonymous.

I believe this used to work in ASP.NET MVC 2 and VS2008 by just changing the authentication mode to Windows, however it doesn't seem to work that way any more.

I know I'm probably missing something basic. Thanks!

Note: This question is similar to the "Problem restricting anonymous access to an ASP.Net MVC Site" question, but different in that I want to exclusively use Windows authentication.

I had exactly the same problem. Turns out there was a change in MVC 3 (fairly well hidden, too) that has Forms authentication automatically enabled by default, in order to disable it add the following line to your root Web.config file, under the appSettings key...

<add key="autoFormsAuthentication" value="false" />

Hope that helps!

FYI, in case this helps others : In my case, I only had to add <add key="enableSimpleMembership" value="false"> to fix the issue and <add key="autoFormsAuthentication" value="false" /> was not required. I also found this blog post very useful as an explanation http://www.codeproject.com/Articles/292149/The-resource-cannot-be-found-Account-Login?msg=4092212#xx4092212xx

Any thoughts on potential ramifications/side-effects of this fix?

also I am disappointed this issue has not yet been fixed by ms after a year +.

thanks.

Check if you have a WebMatrix.Data.dll at your bin. http://blog.fujiy.net/post/aspnet-mvc-windows-authentication-redirecionando-pro-login, http://blogs.catapultsystems.com/rhutton/archive/2012/07/20/mvc3-with-windows-authentication-redirected-to-accountlogin.aspx