Well, looks like it was a simple fix. The direct line after the web.config code I have above looked like:
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="2880" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
and it looks like the authorization
element was completely overwriting any [AllowAnonymous]
I had - the only possible method to reach anonymously was the login page. Removing those 3 lines completely fixed my issue - I now use the [AllowAnonymous]
attribute for my WebAPI page, and it applies the basic authentication correctly.