This change allows you to specify which role is allowed to login to the panel

Add the element ExcludedRolesToLogin tp the SiteSettings.config and specify
comma separate which roles are not allowed to login to the panel. e.g.:

<ExcludedRolesToLogin>Administrator,Reseller</ExcludedRolesToLogin>

By doing this you can eliminate the attack surface by publishing the portal
twice. One for the organization administrators and an internal one for the
adminsitrators and reseller admins

WebsitePanel/Sources/WebsitePanel.EnterpriseServer.Base/Common/BusinessErrorCodes.cs

@@ -63,6 +63,7 @@ namespace WebsitePanel.EnterpriseServer
         public const int ERROR_USER_WRONG_PASSWORD = -110;
         public const int ERROR_INVALID_USER_NAME = -111;
         public const int ERROR_USER_ACCOUNT_NOT_ENOUGH_PERMISSIONS = -112;
+        public const int ERROR_USER_ACCOUNT_ROLE_NOT_ALLOWED = -113;
         #endregion
 
         #region Packages

WebsitePanel/Sources/WebsitePanel.WebPortal/App_GlobalResources/WebsitePanel_SharedResources.ascx.resx

@@ -5134,4 +5134,11 @@
   <data name="Error.LYNC_ADD_PLAN" xml:space="preserve">
     <value>Error creating organization plan. See audit log for more details.</value>
   </data>
+  <data name="Error.ERROR_USER_ACCOUNT_NOT_ENOUGH_PERMISSIONS" xml:space="preserve">
+    <value>User has not enough permissions to do this task.</value>
+  </data>
+  <data name="Error.ERROR_USER_ACCOUNT_ROLE_NOT_ALLOWED" xml:space="preserve">
+    <value>Wrong user name or password have been specified or account is locked.</value>
+  </data>
+
 </root>

WebsitePanel/Sources/WebsitePanel.WebPortal/Code/PortalUtils.cs

@@ -330,6 +330,8 @@ namespace WebsitePanel.Portal
                 {
                     UserInfo user = authService.GetUserByUsernamePassword(username, password, ipAddress);
                     if (user != null)
+                    {
+                        if (IsRoleAllowedToLogin(user.Role))
                         {
                             // issue authentication ticket
                             FormsAuthenticationTicket ticket = CreateAuthTicket(user.Username, user.Password, user.Role, rememberLogin);
@@ -337,6 +339,8 @@ namespace WebsitePanel.Portal
 
                             CompleteUserLogin(username, rememberLogin, preferredLocale, theme);
                         }
+                        else return BusinessErrorCodes.ERROR_USER_ACCOUNT_ROLE_NOT_ALLOWED;
+                    }
 
                     return 0;
                 }
@@ -347,6 +351,25 @@ namespace WebsitePanel.Portal
             }
         }
 
+        private static bool IsRoleAllowedToLogin(UserRole role)
+        {
+
+            string tmp = GetExcludedRolesToLogin();
+
+            if (tmp == null) tmp = string.Empty;
+
+            string roleKey = ((UserRole)role).ToString();
+
+            return !tmp.Contains(roleKey);
+        }
+
+
+        public static string GetExcludedRolesToLogin()
+        {
+            return PortalConfiguration.SiteSettings["ExcludedRolesToLogin"];
+        }
+
+
         private static int GetAuthenticationFormsTimeout()
         {
             //default

WebsitePanel/Sources/WebsitePanel.WebPortal/WebsitePanel.WebPortal.csproj

@@ -221,8 +221,12 @@
     <None Include="App_Data\SupportedThemes.config" />
     <None Include="App_Data\Countries.config" />
     <None Include="App_Data\CountryStates.config" />
-    <None Include="App_Data\WebsitePanel_Modules.config" />
-    <None Include="App_Data\WebsitePanel_Pages.config" />
+    <None Include="App_Data\WebsitePanel_Modules.config">
+      <SubType>Designer</SubType>
+    </None>
+    <None Include="App_Data\WebsitePanel_Pages.config">
+      <SubType>Designer</SubType>
+    </None>
     <None Include="App_Data\Ecommerce_Modules.config" />
     <None Include="App_Data\Ecommerce_Pages.config" />
     <None Include="App_Data\SupportedLocales.config" />