HTTP Error 404.15 - Not Found ...because the query string is too long

Question

I've checked lots of posts about this error but not been able to fix the problem yet.

I have simple MVC5 website built in VS2013 running on Windows 8 pro. When the site was created the option for individual accounts was selected. I now need to enable windows authentication so that only AD account users can use the website and also authorisation so that I can limit access to certain views / controllers to particular AD groups.

Having selected the web project within VS I have updated the properties window (F4) so that Anonymous Authentication is set to disabled and Windows Authentication is set to Enabled.

The web.config for the project now contains the following sections:

<system.web>
    <authentication mode="Windows" />
    <compilation debug="true" targetFramework="4.5" />
    <httpRuntime targetFramework="4.5" />
    <authorization>
      <deny users="?" />
    </authorization>
  </system.web>
  <system.webServer>
    <modules>
      <remove name="FormsAuthenticationModule" />
    </modules>
  </system.webServer>

I access the site from IIS or F5 I get the error: HTTP Error 404.15 - Not Found The request filtering module is configured to deny a request where the query string is too long. I notice that something has looped to give a ReturnUrl which is a repeating long concatenation within the query string.

Within the IIS\Authentication section, I have set to disabled "Anonymous Authentication, ASP.Net Impersonisation, and Forms Authentication". Within the section IIS.Net Authorization Rules I have set to Deny "Anonymous Users" and Allow "All Users"

Where am I going wrong?

Answer 1

The only time I've personally run into this issue is when I accidentally added [Authorize] to a child action that was used in the layout. Adding [Authorize] to your sign in action would have the same effect or simply neglecting to add [AllowAnonymous] on your sign in action, when the controller it is in has [Authorize] on it. Long and short, this is being caused by something requiring authorization on the actual sign in page, which then causes you to be redirected to the sign in page, which needs authorization, causing you to be redirected to the sign in page, etc.

tl;dr

1. Make sure your sign in / login action does not have [Authorize].
2. Make sure your sign in / login action does have [AllowAnonymous].
3. Make sure no child actions used in your layout or sign in page have [Authorize] or have [AllowAnonymous] if they are in a controller decorated with [Authorize].

Answer 2

I got this error when I enabled Windows authentication. I wanted to authorize the user based on Windows login and I do not want login page in my application.

I got the error fixed by adding the below in my Web config file.

1. Under the tag system.web, changed authentication mode="None" to authentication mode="Windows"

2. Under tag appSettings, added add key="owin:AutomaticAppStartup" value="false"

Answer 3

You may have a function in startup that redirects you to a login page. You must disable it.

I created the project by default authentication method which creates an account controller and its dependencies. When I changed the authentication method to Windows, the mentioned error was raised.

What I did was comment out the ConfigureAuth(app) function in my Startup.cs file to resolve the issue.

Answer 4

I had the same problem..

Check under Project Properties..

Anonymous Authentication=False
Windwos Authentication=True

Answer 5

We ran into a similar issue and our authorize filters were correctly implemented. I am leaving this here in case someone else runs into same problem with IIS 10.

After working with Microsoft support, we determined that the .Net Authorization Rule was not enabled on the server level.