Unauthenticated users cannot access static files in ASP.NET MVC regardless of location elements

Question

I know this question has been asked several times on SO, but none of those answers have worked in my situation. I have an ASP.NET MVC2 app that uses Forms authentication on my local IIS 7.5(7600.16385) on an AppPool running in integrated mode. Interestingly, this does not happen when using the development web server that comes with VS 2010. My web.config file contains no <authorization /> and no <location /> elements. When I hit the home page, I get everything in the logon view except for the .CSS and .PNG files stored in the ~/Content directory. When I directly request the .CSS file with http://localhost/WebSubscribers/Content/Site.css, I am redirected to the logon page. It seems like a wild-card mapping tries to authorize every request even when I allow that request using <location path="Content" /> as shown below:

<location path="Content" >
 <system.web>
  <authorization>
   <allow users="*"/>
  </authorization>
 </system.web>
</location>

Most of the answers I found on Stack Overflow suggest adding just such a location element to fix the problem, but that does not work for me so I removed it.

I created no wild-card mappings in IIS and, just to make sure, I removed the site and re-created it pointing at the same directory, only to get the same results. Can a wild-card mapping be specified anywhere other than IIS? Can my web.config file have "acquired" some kind of wild-card mapping? I use the Telerik MVC controls, which appear to have made some changes (registered namespaces, httpHandlers, modules) to the web.config file.

Any other suggestions?

UPDATE: When using Chrome to hit the website without being authenticated, the "Resources" developer tool says the following about my Site.css file: "Site.css:-1Resource interpreted as stylesheet but transferred with MIME type text/html."

Where would such a mime type be set? The site's node in IIS says ".css | text/css | Inherited".

Answer 1

I found both the cause and solution to my problem in IIS. The web app runs in IIS from within my Visual Studio Projects directory, so I configured it to use an AppPool that runs under my user account. In IIS, the Anonymous Authentication feature was configured as Specific user: IUSR. I do not know why or how. When I changed this back to Application pool identity, unauthenticated users could access static files.

+1 to Craig Stuntz for pointing out that wild-card mappings as well as the location elements are not needed for MVC and IIS 7.

Answer 2

You shouldn't be using a wild card mapping for IIS 7 in integrated mode. You only need that for IIS 6 / "classic" mode. You don't need the location element, either; this "just works."