WebAPI: 403 Forbidden After Publishing Website

Ok I'm having a hard time finding the problem as it works locally, but after posting the results, just:

Error code: 403 Forbidden. The server refused the specified Uniform Resource Locator (URL). Contact your server administrator. (12202)

Code:

[RoutePrefix("api/v1/project")]
public class ProjectController : BaseApiController
{
    [HttpGet]
    public HttpResponseMessage GetProjects()
    {
        HttpResponseMessage resp = new HttpResponseMessage(HttpStatusCode.OK);
        if(User.Identity.IsAuthenticated)
        {
            var model = new ModelFactory().CreateProjects();
            resp = Request.CreateResponse(HttpStatusCode.OK, model);
        }
        return resp;
    }
}

      

        
        
        
      

    

public static class WebApiConfig
{
    public static void Register(HttpConfiguration config)
    {
        // all actions under /project routes require authentication
        config.Routes.MapHttpRoute(
            name: "ProjectApi",
            routeTemplate: "api/v1/{controller}/{action}/{apikey}",
            defaults: new { apikey = RouteParameter.Optional },
            constraints: new { controller = "project" },
            handler: new BasicAuthHandler(config));

        // all routes requires an api key
        config.MessageHandlers.Add(new ApiKeyHandler());
        config.MapHttpAttributeRoutes();
    }
}

      

        
        
        
      

    

I tried several "solutions" from the net, but none of them seem to fix it. I added:

// Stop IIS/Asp.Net breaking our routes
RouteTable.Routes.RouteExistingFiles = true;

      

        
        
        
      

    

from: http://www.grumpydev.com/2013/09/17/403-14-error-when-trying-to-access-a-webapi-route/

And also make sure that:

<modules runAllManagedModulesForAllRequests="true">

      

        
        
        
      

    

Using the above code, using the following link, you will get a successful connection where it checks (in the correct order) the APIkey (ApiKeyHandler), checks if the user is required to log in (BasicAuthHandler), and then goes to the method in the controller ({controller} /{act}).

// THIS WORKS!
http://localhost:51077/api/v1/project/getprojects?apikey=123456

      

        
        
        
      

    

then we post and try to do the same

// This is haunted with number 403
http://website.com/api/v1/project/getprojects?apikey=123456

      

        
        
        
      

    

contains error code: 403 Forbidden.

I dont know. I even tried to change all the security settings of the publish folder for "NETWORK SERVICE" for full access .. no changes.

Let me know if you need more intel.