您可以通过找到解决方案来学习一些知识.恭喜你！

You learn something by finding the solution. Congratulation.

授权在 后进行.因此，在IIS上，您在处理授权规则之前看到了401.2错误页面.只有在将适当的身份验证方法设置为启用后，事情才能开始解决.

Authorization happens after authentication. So on IIS you saw the 401.2 error page before the authorization rule was ever processed. Only after a proper authentication method is set to enabled, then things start to work out.

IIS Express应该会为您提供相同的401.2错误页面.只是一个笔记.

IIS Express should give you the same 401.2 error page if you disable all its authentication methods. Just a note.

A Microsoft模式和实践文章详细说明了为什么您需要启用匿名身份验证才能允许匿名用户:

A Microsoft Patterns and Practices article explains more about why you need anonymous authentication enabled in order to allow anonymous users:

ASP.NET身份验证是一个两步过程.首先，

ASP.NET authentication is a two-step process. First,

• Internet信息服务(IIS)对用户进行身份验证，并创建一个Windows令牌来代表用户.
• 如果将IIS配置为使用匿名身份验证，则会生成IUSR_MACHINE帐户的令牌，并用于代表匿名用户.

IIS，然后将令牌传递给ASP.NET.

IIS-then passes the token to ASP.NET.

注意，因为表单身份验证不依赖IIS身份验证，因此，如果您打算在ASP.NET应用程序中使用表单身份验证，则应在IIS中为应用程序配置匿名访问

Note Because forms authentication does not rely on IIS authentication, you should configure anonymous access for your application in IIS if you intend to use forms authentication in your ASP.NET application

在IIS中，为所有使用表单身份验证的应用程序启用了匿名访问.

In IIS, anonymous access is enabled for all applications that use forms authentication.

IIS允许该请求，因为在IIS配置数据库中启用了匿名访问.ASP.NET确认授权元素包含标签.

IIS allows the request because anonymous access is enabled in the IIS metabase. ASP.NET confirms that the authorization element includes a tag.

向IIS发出请求时，有两种方法可以对用户进行身份验证:

There are two ways for a user to be authenticated when issuing a request to IIS:

• IIS本身对身份进行身份验证(使用基本身份验证，摘要身份验证或Windows身份验证)
• 将IIS配置为允许匿名" 身份验证，该网站将自行处理身份验证

• IIS authenticates your identity itself (using Basic, Digest, or Windows authentication)
• IIS is configured to allow "anonymous" authentication, and the web-site will handle authentication itself

这里令人困惑的部分是，两者之间存在差异:

The confusing part here is that there is a difference between:

就IIS而言
• 匿名
就ASP.net Forms身份验证而言，
• 匿名

• anonymous as far as IIS is concerned
• anonymous as far is ASP.net Forms authentication is concerned

从IIS的角度来看，将使用 Forms (或Owin或任何其他自定义身份验证模块)进行身份验证的任何请求仍然是匿名请求:

From IIS's point of view any request that will be authenticated using Forms (or Owin, or any other custom authentication module) is still an anonymous request:

| IIS Authentication | Application Authentication |
|--------------------|----------------------------|
| Basic              |                            |
| Digest             |                            |
| Windows            |                            |
| Anonymous          | Forms                      |
| Anonymous          | Owin                       |
| Anonymous          | BasicAuthModule            |

当我尝试允许匿名用户访问时:

When i was attempting to allow anonymous users access:

<allow users="?" />

这是 Forms 身份验证指令.但是，为了甚至到达表单身份验证，您必须在IIS级别上允许匿名身份验证.

That is a Forms authentication directive. But in order to even reach forms authentication, you must allow anonymous authentication at the IIS level.