I have a web page that any authenticated user can access, but I
dynamically enable/disable other asp.net controls on the web page
based on the Role that they are in via C# code behind.    My web
config is as follows...

<system.web>
    <authorization>
       <deny users="?" />
    </authorization>

    <authentication mode="Windows" />
</system.web>

I am hosted on Windows 2003 Server, IIS 6, Enable Anonymous access is
turned off, and Integrated Windows Authentication is turned on.

When the user accesses the web page, I get the proper User name via
Context.User, System.Threading.Thread.CurrentPrincipal,
HttpContext.Current.User, etc.  They all contain the user's proper
domain name and user name  (e.g.  MyDomain\bjones).    But, if I call
User.IsInRole on a role that this user belongs to, it returns
false.    When the user accesses this page, they are not prompted for
their username and password, so single signon working here.

Now, I have a subdirectory directory that is restricted using roles,
so its directory has its own web.config

<system.web>
    <authorization>
       <allow roles="Test" />
       <deny users="*" />
    </authorization>
</system.web>

Here if the user accesses this page then they are prompted to enter in
their username and password.   First question, why are they prompted
for this when we already know who they are and they are in the "Test"
role?

After the user enters in their credentials and accesses the page ok,
they return back to the first page. At this point, the User.IsInRole
now starts working.  It appears that the logon prompt of the user
caused the IsInRole to now start returning TRUE.    Why does it now
work?

Nothing really different about the virtual directories.  If I change
the 1st directory to have the same authorization as the 2nd directory,
then they are prompted for username and password and IsInRole works.
Have also tried...

  <allow users="*">
  <deny users="?">

Thanks for any help,

Ron