Use global authentification filter with custom behaviour instead of authorization configuration in web.config (best for MVC)
add global filter
public class FilterConfig
{
public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
filters.Add(new AuthorizeAttribute());
}
}
Then, [AllowAnonymous] will works, and all other controllers and actions requires Authorization.