I’m working on a internal web based tool for my company. Part of this tool is another application (The Cruise Control Dashboard) that runs in its own Virtual Directory under my root application.

I wanted to limit access to this internal application by setting up Forms Authentication on it, and having a login form in the root application.

I put the following into the root applications web.config:

<location path='ccnet'>   <system.web>     <authentication mode='Forms'>         <forms loginUrl='/default.aspx' timeout='5000'/>     </authentication>     <authorization>       <allow users='?'/>       <deny users='?'/>     </authorization>           </system.web>     </location> 

However, the Forms Authentication does not appear to be working, it does not redirect back to the login page when I access that application directly.

I have a feeling I have the <allow> and <deny> tags set wrong. Can someone clarify?