I misunderstood the nature of the relationship between IIS and ASP.NET
I read about it and I found it should be set from both and it depends on what authentication I am going to use
for example If I am using windows authentication I have to set it first from IIS and after that from web.config, simply because IIS will authenticate the request first and pass authentication token to asp.net authentication module which should be set in the web.config