Another thing you can try is setting the "Run All Managed Modules for All Requests" option under in your applicaiton's Web.config.
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"></modules>
<handlers>
<remove name="UrlRoutingHandler"/>
</handlers>
</system.webServer>
You need the managed modules to run on incoming requests if you require Forms Authentication to access your application, because Forms Authentication is a managed module. So if you're requiring Forms Authentication, but that module isn't running, IIS just gives a 403 error because it can't get you the kind of authentication the application requires.
default
<system.webServer>
<handlers>
<remove name="UrlRoutingHandler"/>
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<remove name="OPTIONSVerbHandler" />
<remove name="TRACEVerbHandler" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler"
preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>
<validation validateIntegratedModeConfiguration="false" />
<modules runAllManagedModulesForAllRequests="true">
<remove name="ApplicationInsightsWebTracking" />
<add name="ApplicationInsightsWebTracking" type="Microsoft.ApplicationInsights.Web.ApplicationInsightsHttpModule, Microsoft.AI.Web" preCondition="managedHandler" />
</modules>
</system.webServer>
