The cookie issue (and likely the login issue) is due to the fact that you are setting the cookie path to be /FormsAuth
. That means the cookie is only valid for that URL path and will be discarded otherwise. Also, your <authorization>
section can be tweaked a bit as I have adjusted in the following full update of your partial Web.config:
<connectionStrings>
<add name="ADConnectionString" connectionString="LDAP://YNET" />
</connectionStrings>
<system.web>
<authentication mode="Forms">
<forms name=".ASPXAUTH"
path="/"
loginUrl="~/SignIn.aspx"
defaultUrl="~/Secure/Default.aspx"
timeout="20"
requireSSL="false"
protection="All"
slidingExpiration="true"
cookieless="UseCookies"
enableCrossAppRedirects="false"/>
</authentication>
<authorization>
<allow users="*"/>
</authorization>
<!-- For non AD passthrough authentication, specify the defaultProvider property -->
<membership defaultProvider="ActiveDirectoryMembershipProvider">
<providers>
<clear/>
<add name="ActiveDirectoryMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider"
connectionStringName="ADConnectionString"
attributeMapUsername="sAMAccountName"/>
</providers>
</membership>
</system.web>
<location path="Secure">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
If the /Secure
folder is truly the only folder you want to protect with the login, then the above works, but if you want to lock everything down except the login page, you simply need <deny users "?" />
in your main <authorization>
section.