Here is my scenario:
I’ve got a website set up in IIS (7.5) that uses Forms Authentication. I’ve got a subfolder within that website that I’m using as a WebDAV share. I’ve got a custom HTTP Module monitoring my WebDAV requests and also acts as a level of custom authentication. This custom authentication will first send a HTTP 401 Challenge to get the user’s credentials when they try to map a drive to my WebDAV share, and then the credentials are parsed out of the Basic-Auth header server-side. The problem is that a Basic-Auth header is only sent if Forms Authentication is turned off.
What’s more is that normally when my HTTP Module doesn’t find an Auth Header, a 401 Challenge is sent (which prompts the user for credentials when Forms Auth is turned off). However, with Forms Auth turned on, my HTTP Module still executes and sends a 401 Challenge, but it appears that the Forms Auth is taking priority so in Fiddler I can clearly see a redirect to:
/Account/Login.aspx?ReturnURL=MySubFolder
The point of the custom authentication is so that I can allow the user to log-in to my site when mapping a drive to my WebDAV share. I want to capture their website credentials, authenticate them, and then show them the contents of the directory.
So my question is:
Is there a way to get Forms Authentication disabled on a subfolder or Virtual Directory within a website which has Forms Authentication enabled?
I’ve verified that I can get around this by creating a new Application in my website and put the subfolder in there, and then disable Forms Auth on the Application itself, but I’d really prefer not to do that if possible.
Everything I’ve tried (listed below) has resulted with my request to map a drive to Http://localhost/MySubFolder getting taken over by Forms Authentication (at least that’s what I think is happening) and redirected to /login.aspx?ReturnUrl=MySubFolder (as shown in Fiddler).
Here’s what I’ve tried:
1) Added a separate Web.config in MySubFolder:
<configuration>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</configuration>
2) Added a <location> tag in the root-level Web.config for MySubFolder like this:
<location path="MySubFolder">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
3) Looked at updating the Feature Delegation in IIS.
Personally, I had some doubt with the above solutions because from what I’ve read, they are meant to simply allow all access while still leaving Forms Authentication enabled. I need a way to actually get Forms Authentication disabled on my subfolder. Is this possible?
I should also note that my subfolder could be a Virtual Directory, but it’s not required one way or the other. I just need a way for Forms Auth to be disabled on that folder.
As per request, my Web.config file (site-level):
<?xml version="1.0"?>
<configuration>
<connectionStrings>
<add name="MyConnString" connectionString="Persist Security Info=True;Initial Catalog=MyDB;Data Source=MyServer;User ID=UserName;Password=xxxxxxxxxx;MultipleActiveResultSets=True;"/>
</connectionStrings>
<system.web>
<compilation debug="true" strict="false" explicit="true" targetFramework="4.0" />
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="2880" />
</authentication>
</system.web>
<system.webServer>
<modules runManagedModulesForWebDavRequests="true" runAllManagedModulesForAllRequests="true">
<add name="CustomWebDAVModule" type="CustomWebDAVModule"/>
</modules>
</system.webServer>
</configuration>
This question has already been answered: Multiple/Different authentication settings in web.config
You can’t override the root authentication mode=”Forms” tag within location tags. Making the folder it’s own application is the easiest way out.
Another option is to implement your own custom Forms authentication and have it ignore the redirect for your webdav folder.