Have you set up allow and deny rules?
You need to inform the system that you require users to be logged in, before they can look at certain pages.
And you can also say that some pages, or all the pages in certain folders, require users to be in certain roles.
You do this with allow and deny in web.config
If you have pages in different folders, you can have a little web.config in each folder that gives the rules for the pages in that folder.
For example, here is a web.config file where:
Users with adminstrator role are allowed. allow roles="administrator"
All other users are banned - deny users="*"
This applies to all pages in that folder.
<configuration>
<system.web>
<authorization>
<allow roles="administrator, developer" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
For more information look at:
Copy paste of url in new browser window should take me to Login Page
[
^]