Seems the problem is that the .NET security only applies to ASPX files.
I was testing by loading an html file supposing that all files in that
subfolder would be secured. Silly me.
According to MSDN :
a.. Given a set of merged rules for a URL, the system starts at the head of
the list and checks rules until the first match is found. Note that the
default configuration for ASP.NET contains an <allow users="*"> element,
which authorizes all users. If no rules match, the request is allowed unless
otherwise denied. If a match is found and the match is a <deny> element, it
returns 401. Applications or sites can easily configure a <deny users="*">
element at the top level of their site or application to prevent this
If an <allow> matches, the module does nothing and lets the request be
So I guess you should remove the <allow users="*" /> tag, because this is
the first match in the authorization heuristics that ASPNET performs.
Hope this helps,
> I'm trying to restrict access to a subfolder using <location> tag in
> web.config but the login page does not appear and I get access to the
> Any assistance would be greatly appreciated.
> Here's the relevant web.config:
> <!-- enable Forms authentication -->
> <authentication mode="Forms">
> <forms name=".ITINKOAUT" loginUrl="login.aspx" protection="All"
> <credentials passwordFormat="Clear">
> <user name="user1" password="password1"/>
> <allow users="*" />