<location path="Clients.aspx"> <system.web> <authorization> <allow roles="Administrators"/> </authorization> </system.web> </location>I need to add this line in apparently:
<deny users="*" />
this should then deny everybody who is not in the Adminstrators role, right?protected void Application_AuthenticateRequest(Object sender, EventArgs e) { if (HttpContext.Current.User != null) { if (HttpContext.Current.User.Identity.IsAuthenticated) { if (HttpContext.Current.User.Identity is FormsIdentity) { SqlConnection conn; SqlCommand cmd; conn = new SqlConnection(ConfigurationManager.ConnectionStrings["ApplicationServices"].ConnectionString); conn.Open(); cmd = new SqlCommand("Select RoleName from aspnet_Roles inner join aspnet_UsersInRoles on aspnet_Roles.RoleId = aspnet_UsersInRoles.RoleId inner join aspnet_Users on aspnet_UsersInRoles.UserId = aspnet_Users.UserId where username=@userName", conn); cmd.Parameters.Add("@userName", SqlDbType.VarChar, 25); cmd.Parameters["@userName"].Value = User.Identity.Name; cmd.Connection = conn; SqlDataReader reader = cmd.ExecuteReader(); List<string> roleList = new List<string>(); if (reader.HasRows) { while (reader.Read()) { roleList.Add(reader.GetString(0)); //"RoleName" } } HttpContext.Current.User = new GenericPrincipal(User.Identity, roleList.ToArray()); } } } }Then the User.IsInRole also works properly.