Adib,
You have made changes to your authentication section but did you change
the authorization section?

To deny all users but those who have been authenticated use the
following code blocks:

<!--  AUTHORIZATION 
          This section sets the authorization policies of the
application. You can allow or deny access
          to application resources by user or role. Wildcards: "*" mean
everyone, "?" means anonymous 
          (unauthenticated) users.
    -->
    <authorization>
        <deny users="*"/> <!-- Deny everyone -->
	  <allow users="?"/> <!-- Allow all authenticated users -->

            <!--  <allow     users="[comma separated list of users]"
                             roles="[comma separated list of roles]"/>
                  <deny      users="[comma separated list of users]"
                             roles="[comma separated list of roles]"/>
            -->
    </authorization>

Hope this helps,

	
Craig.
-----Original Message-----
From: Adib [mailto:r_adib@h...] 
Sent: Thursday, May 09, 2002 1:59 AM
To: ASPX_Professional
Subject: [aspx_professional] Form Based Authentication


Hi all,
   I am utilising form-based authentication.I have made the following 
configuration in web.config
file.
    
  <authentication mode="Forms">
    <forms name="MyApp01" path="/" loginUrl="custom-login.aspx"
           protection="All" timeout="600"  >
      </forms>
  </authentication>

I have created the login and default pages.But the authentication is not

working since i can open any of 
the pages.


  Can u please explain in me in steps the procedure for configuring the 
virtual root for form based 
Authentication.

  Bye Adib