The exact, precise, .sln file which contains my MVC 5/ Web Api 2 web project behaves one way when I run it from the Visual Studio 2012 installation and behaves in an entirely different way when I run it from Visual Studio 2013.
In particular, I have a CustomerController that inherits from ApiController that responds to OData queries (no, I did not inherit from OdataController). It all works great when running it from Visual Studio 2012 (and when deployed to my 2008 R2 test web server). When I run it from Visual Studio 2013, I get this response body:
{"Message":"Authorization has been denied for this request."}
Yes, my controller is decorated with an Authorize attribute:
<Authorize(Roles:="MYCORP\my_activedirectory_group")>
Public Class CustomerController
When I remove that attribute, then, I can run my project locally from within Visual Studio 2013 (which is currently launching my project in IIS Express, whereas in VS 2012 it launches it from the ASP.NET Development Server)
What's the deal?
Ok, I figured it out after thinking about this.
Apparently, IIS Express wasn't configured to use Windows Authentication.
I right-clicked my IIS Express icon in my system tray, and selected "Show All Applications"
On the resulting dialog, I selected one of the applications listed in the grid (only 1 listed since I only have 1 running from within Visual Studio)
Once an application item is highlighted, you can see the hyperlink/file-path to the applicationhost.config
Within that config file, I edited this section, found about 1/3rd of the way down in a <security> element:
<authentication>
<anonymousAuthentication enabled="false" userName="" />
<basicAuthentication enabled="false" />
<clientCertificateMappingAuthentication enabled="false" />
<digestAuthentication enabled="false" />
<iisClientCertificateMappingAuthentication enabled="false"></iisClientCertificateMappingAuthentication>
<windowsAuthentication enabled="true">
<providers>
<add value="NTLM" />
<add value="Negotiate" />
</providers>
</windowsAuthentication>
</authentication>
Above I set all the 'enabled' attributes to 'false' except for the last one on the windowsAuthentication element. For our environment, I always move the NTLM up to first position in the listed providers.