email is the primary key on my users table, so I had User Name and User ID set to email.
I went back and made an auto increment field the primary key in the users table and rebuild the security pages from scratch. No change, I cannot get past the restrict access behavior.
The old DW behavior checked for a session variable "MM_Username" to determine if somebody was logged in. What is the actual mechanism that SA uses?