I currently am using Forms Authentication for the members site I've built. However, I have created a CMS that I want internal folks to access via the Admin Area I created. For the Admin Area I would like to use Windows Authentication instead. I'm using IIS Express in my dev environment. I have my Admin/CMS controller decorated like this
[Authorize(Roles = @"ECR")]
public class CMSController : Controller
I've tried adding <authentication mode="Windows" /> to the Web.config system.web section in Areas/Admin.
When I try logging into the Admin/CMS area it just bounces me back to my loginUrl set in the tag of my project level Web.config. If I'm logged in it just bounces me to the homepage.
I have read a few articles on setting up Windows Authentication with IIS Express and found the suggestion to turn off "Anonymous Authentication" in the properties of the web project. I did this and Admin/CMS worked properly, allowing me in if I'm part of the group and denying me if I'm not. However, turning off Anonymous Authentication breaks my Forms Authentication section of my site. Since that worked, I tried to turn off anonymous authentication in my Areas/Admin/Web.config via the system.webServer section using:
<security>
<authentication>
<anonymousAuthentication enabled="false" />
</authentication>
</security>
without success.
What am I doing wrong here? Thank you
Supporting both forms of authentication for one site is a little dicey. I would suggest setting up two separate sites, one for admin and one for the members that both point to the same database.
Check out this discussion about the topic: Mixing Forms authentication with Windows authentication