Css and Scripts don't work until the user log in the website - Asp.NET MVC 3 Web Site

Question

I've a asp.net mvc 3 site and i publish it in iis 7.5 (framework 4.0), and the problem is that the css and the scripts don't work util the user log in the website. So:

The website was created like virtual directory and converted into a application.
The mode is forms authentication.
I enable in the iis the forms and anonymous authentication.

The web config has:

<location path="Content" allowOverride="true">
    <system.web>
        <authorization>
            <allow users="*" />
        </authorization>
    </system.web>
</location>
<location path="Scripts" allowOverride="true">
    <system.web>
        <authorization>
            <allow users="*" />
        </authorization>
        <globalization culture="pt-BR" uiCulture="pt-BR" />
    </system.web>
</location>

<authorization>
    <deny users="?"/>
</authorization>

Obs: the dlls that i add in bin directory: System.Web.Helpers.dll, System.Web.Mvc.dll, System.Web.Routing.dll, System.Web.WebPages.dll.

I tried to change the path in the localtion as "~/Content", but i got the same result.

I tried to put the tag allow in the autorization tag as:

<authorization>
    <deny users="?"/>
    <allow users="*"/>
</authorization>

But i got the same result.

What am i missing?

Have you tried using this allow tag on the content/scripts pages?: — Nick Bork, Feb 07 '12 at 15:00

score 52 · Accepted Answer · answered Feb 15 '12 at 12:57

52

I figured it out. It was something I missed from my checklist when setting up a new IIS application: Select the application, double-click "Authentication", select "Anonymous Authentication", then Edit, and change it to use the Application Pool Identity. Make sure that user has permissions on the folder that contains the site like the others said.

answered Feb 15 '12 at 12:57

Vinicius Ottoni

4,631
9
42
64

thanks for answer your own question about this big problem :) "your checklist" is a oficial / ms "ToDo" or where I can get more info about stuff about web site publication? thanks you so much again! – FabianSilva Mar 20 '14 at 16:11
Thanks hugely for this, I've configured many servers and sites and not come across this before but had it today with a client's server. It had me stumped for a good hour until I came across your post. Cheers. – Paul Jan 30 '17 at 22:14

score 4 · Answer 2 · answered Sep 23 '13 at 18:38

4

Try to allow content path, where your scripts and css files are stored:

<configuration>
  <location path="content" allowOverride="true">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>
  <system.web>
    <authorization>
      <allow roles="admin" />
      <deny users="?" />
    </authorization>
  </system.web>
</configuration>

answered Sep 23 '13 at 18:38

oyaebunterkrah

101
2
6

The question has been answered. – Vinicius Ottoni Sep 24 '13 at 17:55

score 4 · Answer 3 · answered Feb 07 '12 at 14:41

4

I've had this problem too and it's not the asp.net authorization that is the problem it's the rights to the files in the filesystem.

You need to make sure the website runs under an account that has access to the files. For my internal testing I usually make the website run under my account but I guess this wouldn't be good idea security wise if you host it in public. You can set this under advanced settings -> Physical Path Credentials for the website.

answered Feb 07 '12 at 14:41

Mikael Eliasson

5,157
23
27

All users of the machine has physical access to the website path. – Vinicius Ottoni Feb 07 '12 at 14:52
But by default the website is not running as any user of the machine. Atleast it didn't for me. When noone is logged in the website it runs as anonymous user unless I specify otherwise – Mikael Eliasson Feb 07 '12 at 15:02
But, when you put "enable anonymous user" in iis and set it in the web.config, nothing more is needed, isn't it? (to allow access to anonymous user) – Vinicius Ottoni Feb 07 '12 at 16:39
Not really: "enable anonymous user" will not work if the user has no access to the files on the filesystem. And web.config settings is about asp.net authorization. Your problem is the permissions on the file system IMO. – Mikael Eliasson Feb 07 '12 at 21:23
Hmm, but I gave permissions to everyone and put the web.config files inside folders scripts and content and nothing change. =/ – Vinicius Ottoni Feb 08 '12 at 03:34

score 3 · Answer 4 · answered Aug 30 '16 at 00:21

I see that you figured it out and you are happy with your answer.

I also had this problem, but it was not an app pool authentication issue. Instead, I just allowed all users access to the locations of the css/js files, so at least the login page would render appropriately until the user logged in.

e.g. by putting this web.config file in the root of /site/public (or wherever your necessary css & js files are collected)

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.web>
    <authorization>
        <allow users="*" />
    </authorization>
  </system.web>
</configuration>

score 1 · Answer 5 · answered Aug 18 '15 at 23:56

1

IUSR is generally the default impersonation user configured for anonymous authentication. If that is the case, I would make sure that IUSR has read permissions to the folders in question.

You can configure the site to use a different user as well, but I'm not sure that I'd simply switch the site to run as the application pool user. The application pool user often has more permissions than the anonymous user would/should have.

answered Aug 18 '15 at 23:56

b_levitt

7,059
2
41
56

brilliant help, saved me hours. Respect++ – Suhail Mumtaz Awan May 24 '21 at 06:18

score 1 · Answer 6 · answered Feb 12 '18 at 17:19

To follow up on the accepted answer, you can add the authentication tags inside the location so that you don't have to manually set this in IIS when deploying on new machines. This only shows one path, but it's easy to copy it for other paths like ~/Scripts, ~/Fonts, or any other static content you want to reference.

<location path="Content" allowOverride="true">
  <!-- Authorize all users -->
  <system.web>
    <authorization>
      <allow users="*" />
    </authorization>
  </system.web>

  <!-- Authenticate anonymous users -->
  <system.webServer>
    <security>
      <authentication>
        <anonymousAuthentication enabled="true" />
      </authentication>
    </security>
  </system.webServer>
</location>

score 1 · Answer 7 · answered Feb 07 '12 at 17:06

1

I agree with Mikael that it could be file access rights; try to give permissions to Everyone account, and if it cures your problem - find out which account IIS use for Application Pool which you use and give permissions to it.

Also, if it doesn't work, try to put web.config files inside folders Scripts and Content, with authorization attributes only.

And also there is a little possibility that you overtuned your Routing in some way, and it intercepts real file requests.

answered Feb 07 '12 at 17:06

Andrey Kuleshov

645
6
19

I gave permissions to everyone and put the web.config files inside folders scripts and content and nothing change. =/ – Vinicius Ottoni Feb 07 '12 at 18:22
What is your exact error message looks like when you try to access your files? – Andrey Kuleshov Feb 08 '12 at 13:46
I don't get a error message, the page is redirected to login page only. – Vinicius Ottoni Feb 08 '12 at 13:51

Css and Scripts don't work until the user log in the website - Asp.NET MVC 3 Web Site

7 Answers7