Vance Kessler Vance Kessler - 1 month ago 14x
ASP.NET (C#) Question

ASP.NET mvc 3 Anonymous Authorization not working

I have a strange issue that of course only occurs on our production box. It works on our test server and on my box.

I have an ASP.NET MVC 3 controller that is serving exposing a RESTful API. I have enabled anonymous users to call these service with the code shown below. Calling these methods via GET works just fine (using WebRequest). However, when trying to POST data (using HttpClient) it fails with a 401 error.

This web service is hosted within another IIS site which uses Windows Auth. But I configured this directory to allow Anonymous and disabled windows auth. It lives in /Areas/Services under the main site.

I have configured IIS to allow Anonymous authentication and even enabled it in the web.config. However, when I try to POST data to this controller, I get back "401 - Unauthorized: Access is denied due to invalid credentials". I don't want any credentials! Again, GET on this same controller works fine anonymously.

This seems to be a configuration issue (since it works in QA) but I do not know any other things to configure. I have been configuring IIS websites for anonymous/windows/forms auth for 10 years but have never run into anything like this before.

Here is the code that allows MVC 3 to serve these methods up to anyone:

public class LtWebsiteController : Controller

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = false, Inherited = false)]
public class AuthorizeAnonymousAttribute : AuthorizeAttribute
public override void OnAuthorization(AuthorizationContext filterContext)
if (!(filterContext.Controller is LtWebsiteController))

This is driving me nuts! Please help.


You are likely missing HTTP headers for NTLM authentication. I would configure HttpClient to send the right credentials as part of the request.

HttpClientHandler handler = new HttpClientHandler()
    UseDefaultCredentials = true

HttpClient client = new HttpClient(handler);

It's confusing since you are enabling anonymous authentication. But, with Windows Authentication the request needs to have proper headers. A 401 tells me the server flat out rejects the HTTP request.