I'm developing a MVC2 application and using Forms Authentication on it.

The scripts, images and styles are all blocked to unlogged users and, consequently, the login page looks awful.

It works well local, the problem is when I publish to the server.

Does anyone has any idea WHY????

PS: The server IIS is version 7.5

My Web.config:

<configuration>
  <system.web>
    <globalization culture="pt-BR" uiCulture="pt-BR" />
    <httpRuntime requestValidationMode="2.0"/>
    <customErrors mode="Off" />
    <compilation debug="true" targetFramework="4.0">
      <assemblies>
        <add assembly="System.Web.Abstractions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
        <add assembly="System.Web.Routing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
        <add assembly="System.Web.Mvc, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
      </assemblies>
    </compilation>

    <pages>
      <namespaces>
        <add namespace="System.Web.Mvc" />
        <add namespace="System.Web.Mvc.Ajax" />
        <add namespace="System.Web.Mvc.Html" />
        <add namespace="System.Web.Routing" />
        <add namespace="Admin.Models" />
      </namespaces>
    </pages>

    <authentication mode="Forms">
      <forms name="AGAuth" loginUrl="~/Home/Login" timeout="120" />
    </authentication>
  </system.web>

  <system.webServer>
    <validation validateIntegratedModeConfiguration="false"/>
    <modules runAllManagedModulesForAllRequests="true"/>
  </system.webServer>

  <runtime>
    <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
      <dependentAssembly>
        <assemblyIdentity name="System.Web.Mvc" publicKeyToken="31bf3856ad364e35" />
        <bindingRedirect oldVersion="1.0.0.0" newVersion="2.0.0.0" />
      </dependentAssembly>
    </assemblyBinding>
  </runtime>

  <connectionStrings>
      <add name="DBContainer" connectionString="metadata=res://*/Database.DB.csdl|res://*/Database.DB.ssdl|res://*/Database.DB.msl;provider=System.Data.SqlClient;provider connection string=&quot;Data Source=thewebserver.com,5158;Initial Catalog=thedatabase;Persist Security Info=True;User ID=theuser;Password=thepassword;MultipleActiveResultSets=True&quot;" providerName="System.Data.EntityClient" />
  </connectionStrings>

</configuration>

I had exactly the same problem.

The cause turned out to be the IIS authentication configuration. By enabling Anonymous Authentication (and enabling Forms Authentication and disabling Windows Authentication) the scripts, styles and images became accessible when logged off.

Add a web.config to the scripts, images and styles folders telling asp.net to allow access to all users (make sure you you don't have anything in there that you don't want anonymous users to have access to):

<configuration>
      <system.web>
         <authorization>
            <allow users="*"/>
         </authorization>
      </system.web>
</configuration>

As for the reason, the following is telling IIS to let asp.net process all the requests:

  <system.webServer>
    <validation validateIntegratedModeConfiguration="false"/>
    <modules runAllManagedModulesForAllRequests="true"/>
  </system.webServer>

You can set permission to required folders like this:

<location path="App_Themes">
    <system.web>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>
  </location>
  <location path="images">
    <system.web>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>
  </location>
  <system.web>

Take a look at the documentation for the location element. I think the first example will give you what you need.

For convenience, here is the example mentioned:

<configuration>
   <location path="Logon.aspx">
      <system.web>
         <authorization>
            <allow users="?"/>
         </authorization>
      </system.web>
   </location>
</configuration>

The group IIS_WPG need read access to the fold. Now it works fine... hope this helps someone else

You can set the permission to required folders like this

<location path="App_Themes">
<system.web>
  <authorization>
    <allow users="*"/>
  </authorization>
</system.web>

This is a complete stab in the dark but what are the rights on the image and css folders? If they are set so that only authorised people can get to them then you have a problem. You might try setting the rights on those folders to everyone, or for the .net default user and see what you get.

Did you accidentally copy or create a Web.config file in your Content folder that has an <authorization> element that may be denying access?

I had the same problem too and I tried what Scott H suggested but it didn't work...

It turns out the user assigned to Anonymous Authentication was set to IUSR (right-click 'Anonymous Authentication' -> Edit), which didn't have access to my code. I had given access to the Application pool identity, so I selected that option, clicked 'OK', and bingo it worked.