You'll have to remove the
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
as I believe the AllowAnonymous
attribute won't override that.
UPDATE
You'll have to add an Authorize
attribute to the controllers, or as the following article mentions, you can set it in GlobalFilters