I would like to know if it is possible to deny a specific role in web.config authorization section for WebAPI?
I've got following configuration, but it's not working (however I'm getting a HTTP 200 instead of Unauthorized) :-(
<authorization>
<deny roles="Locked" />
</authorization>