I have recently been working with ASP.NET MVC 3 and Windows Identity Foundation. Most of the pages in the application require that the user be logged in and everything was working fine with the [Authorize] attribute applied to the controllers and action methods.
Recently, we needed to add a couple of new pages that could be accessed without being logged in (anonymously). So we created a new Controller without applying the [Authorize] attribute but we weren't able to access any of the new pages without being forced to log in.
We thought that we might have needed to add a <location path="..."> exception in web.config for the new pages, but this has no effect in MVC applications; only traditional ASP.NET. After lots of attempts at fixes, we discovered that at some point in the past, the <authorization> node in web.config contained the following (single) line... <deny users="?">.
This had the effect that the entire web application was protected behind a login session. Once we changed it to <allow users="?">, then all of the [Authorize] attributes kicked in and did their job admirably.
It's almost always something simple yet it takes a few hours to find out.
