After moving a ASP.Net 4.8 site to a new box, attempts to access the default page of the site now have a “ReturnURL=/” appended to the URL.

File path for the site is setup as follows:

Site

   Secure (files here need auth to access)
     Web.config

   LoginFolder (files here shouldn't)
     LoginPage 

Web.Config

Content of secure folder level Web.config file:

<configuration>
    <appSettings/>
    <connectionStrings/>
    <system.web>
      <authorization>
        <deny users="?"/>
      </authorization>
    </system.web>
</configuration>

Site level Web.config is setting the authentication mode to Forms as listed below:

    <authentication mode="Forms">
      <forms loginUrl="mysiteLogin.aspx" defaultUrl="~/Secure/Default.aspx" timeout="720" protection="All" slidingExpiration="true" cookieless="UseCookies" />
    </authentication>

<location path="Secure">
    <system.web>
      <authorization>
        <deny users="?" />
      </authorization>
    </system.web>
  </location>

When a user attempts to hit the base URL for the site, the URL is re-directed to the login page as expected, but the appended “ReturnURL=/” causes them to hit the login page again. After a second login, the user is able to proceed without issue.

I can’t seem to find where the permissions for this would be located. Site code is the same between boxes.

Checking folder permissions on the new server, they seem to match what was on the old server.

Any help is appreciated!