I am using ASP.NET MVC 3 and am trying to do something that should be really straight forward...

My application uses Forms authentication and that is working perfectly for controllers/actions. For example if I decorate either a controller or an action with the attribute below only members of the administrators group can view them:

[Authorize(Roles="Administrators")]

However I have a folder under the default Scripts folder called Admin. I only want members of the Administrators group to be able to access scripts within this directory so I created a new web.config in the directory with the following inside:

<?xml version="1.0"?>
<configuration>
  <system.web>
    <authorization>
      <allow roles="Administrators"/>
      <deny users="*"/>
    </authorization>
  </system.web>
</configuration>

However no matter whether a user is a member of the Administrators group or not they receive a 302 Found message and are then redirected to the login page.

If I change the web.config to allow user="*" then it works. It also works if I add an allow users="Username" for a specific user I am testing with.

Any ideas on where I'm going wrong or where I could start investigating?

Do you have RoleManager added into your web.config in default Scripts folder something as below

system.web>
    <authentication mode="Forms" >
      <forms loginUrl="login.aspx"
      name=".ASPXFORMSAUTH" />
    </authentication>

  <roleManager defaultProvider="SqlProvider" 
    enabled="true"
    cacheRolesInCookie="true"
    cookieName=".ASPROLES"
    cookieTimeout="30"
    cookiePath="/"
    cookieRequireSSL="false"
    cookieSlidingExpiration="true"
    cookieProtection="All" >
    <providers>
      <add
        name="SqlProvider"
        type="System.Web.Security.SqlRoleProvider"
        connectionStringName="SqlServices"
        applicationName="SampleApplication" />
      </providers>
    </roleManager>
  </system.web>