You have to allow anonymous access for forms-based authentication to work, and specify:
<deny users="?" />
<allow users="*" />
There are other attributes you can set for forms-based authentication.
If you can use windows-integrated security, is your app an intranet application? If so, why not use <authentication mode="Windows"/>?