Consider an IIS6 Application under a web site:
- Windows authentication is enabled.
- anonymous is off
This is an ASP.NET MVC application with Areas. The root web.config has the authentication and authorization nodes as follows:
<authentication mode="Windows"></authentication>
<authorization>
<allow users="domain\abc, domain\xyz, domain\foo, domain\bar"/>
</authorization>
My identity is NOT in the list of allowed users. Entering the URL in the browser, I can view and navigate to all the pages within. I know I am being authorized properly, as my Active Directory name is displayed on the site.
Problem: I am given access to the site.
Question: Using the web.config, how can I restrict users based on their Windows credentials to this IIS6 Application?
