I am currently developing a project that will use Windows authentication to authorize users and set their specific permissions. However, every time I run the program to test, the default login page created by Visual Studio when I created the project (/Account/Login) always appears first, rather than going to Home/Index. The URL is usually http://localhost:50848/Account/Login?ReturnUrl=%2fViews%2fHome%2fIndex.cshtml when I start it up, rather than just http://localhost:50848. I should also note that the program is getting the correct Windows authentication on the screen, so I know that part is working.

Is there something in my settings I can change to stop this extra login screen from popping up? I am using Visual Studio 2012, IIS Express , and MVC 4. Relevant code:

Web.config

    <appSettings>
        <add key="webpages:Version" value="2.0.0.0" />
        <add key="webpages:Enabled" value="false" />
        <add key="PreserveLoginUrl" value="false" />
        <add key="ClientValidationEnabled" value="true" />
        <add key="UnobtrusiveJavaScriptEnabled" value="true" />
        <add key="autoFormsAuthentication" value="false" />
        <add key="enableSimpleMembership" value="false"/>
      </appSettings>

<system.web>
    <compilation debug="true" targetFramework="4.5" />
    <httpRuntime targetFramework="4.5" />
    <!--<authentication mode="Forms">
      <forms loginUrl="~/Account/Login" timeout="2880" />
    </authentication>-->
      <authentication mode="Windows"/>
      <authorization>
          <deny users="?"/>
      </authorization>
    <pages>
      <namespaces>
        <add namespace="System.Web.Helpers" />
        <add namespace="System.Web.Mvc" />
        <add namespace="System.Web.Mvc.Ajax" />
        <add namespace="System.Web.Mvc.Html" />
        <add namespace="System.Web.Optimization" />
        <add namespace="System.Web.Routing" />
        <add namespace="System.Web.WebPages" />
      </namespaces>
    </pages>
  </system.web>

<system.webServer>
    <validation validateIntegratedModeConfiguration="true" />
    <handlers>
      <remove name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" />
      <remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" />
      <remove name="ExtensionlessUrlHandler-Integrated-4.0" />
      <add name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness32" responseBufferLimit="0" />
      <add name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0" />
      <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
    </handlers>
  </system.webServer>

IIS Express applicationhost.config

   <authentication>

            <anonymousAuthentication enabled="false" userName="" />

            <basicAuthentication enabled="false" />

            <clientCertificateMappingAuthentication enabled="false" />

            <digestAuthentication enabled="false" />

            <iisClientCertificateMappingAuthentication enabled="false">
            </iisClientCertificateMappingAuthentication>

            <windowsAuthentication enabled="true">
                <providers>
                    <add value="Negotiate" />
                    <add value="NTLM" />
                </providers>
            </windowsAuthentication>

        </authentication>

And yes, I have changed Windows Authentication to 'enabled' and Anonymous Authentication to 'disabled'.

Is there extra controls in the controller that would specify a user has to be logged in before accessing any pages?

Example

[Authorize(Roles = "admin")] // this can even be declared at the top of the controller and the controllers will force all to login.
public ActionResult TheController()
{
  //TODO
}

I would suggest removing the FormsAuthentication module if you're not planning go to use cookie based authentication.

<system.webServer>
  <modules>
    <remove name="FormsAuthenticationModule" />
  </modules>
</system.webServer>

Then it won't redirect to the default anymore.

Also, if you're not using SimpleMembership, go ahead and strip out all the membership code from you Account controller, and uninstall the various packages related to it via nuget. This would include the WebMatrix and the oauth and openid packages.

As it turns out, when creating an MVC ASP.NET application, two web.config files are generated. My changes were going into the wrong web.config file (the one under the views folder), rather than the main one in the application. By applying the changes in my original question to this other config file, the application works as intended.

For more information on the two web.config files, see this SO question: Why does .NET generate two web.config files in an MVC asp.net application?

You can comment the code to configure the AppBuilder in StartUp.cs

  public partial class Startup
    {
        public void Configuration(IAppBuilder app)
        {
            //ConfigureAuth(app);
        }
    }