I ran the patches they suggested today - GDIPlus security update - for Windows XP SP1 (can't go to SP2 yet for other reasons), VS.NET 2003, and .NET Framework 1.1. I have had forms authentication working in my ASP.NET app for quite a while. After the patch install, I noticed that the IIS config was changed to not start automatically. I changed it back so I could run my app and now forms authentication is broken. Every time I log in with my login form, it doesn't redirect. I had it as FormsAuthentication.RedirectFromLoginPage(user_name, true) and then decided to hardcode the home page: FormsAuthentication.RedirectFromLoginPage(user_name, true, homepage) to test. When I did that, it went to the home page, but if I clicked on any links, it would redirect back to the login page. Has anyone seen this? Am I missing another setting in IIS that may have changed? Is there some default in IIS that my app was probably using that is changed for security reasons with this new patch? Please help! I can back out of the patch, but I want to fix whatever it is, so I don't run into it again when I deploy to the Windows 2003 server it will be hosted on.