I'm writing an application with MVC and I'm at the point where I need to start applying the authorization checks but I can't get them to work under any conditions. I'm using Windows Authentication on a system that's a member of an internal domain. Authentication works fine, and the roles are populated as well. But no matter what value I pass to the AuthorizeAttribute on any action method, it always lets me in. I've even tried outright denying everyone access by doing something along the lines of [Authorize(Roles = "DOMAIN\Moron")] but I can still get in (Is it trying to tell me something?).
I've also noticed that every time I try to debug the application by placing a breakpoint (in a controller for example) and it hits that breakpoint, I get a warning that the source is different than when the module was built.
My Development environment is running Windows 7 RTM which is is showing IIS as 7.5. Would any of this cause the problem I'm having or am I just missing something?