I have a web application that is using Forms authentication. I have a page that I DON’T want to redirect to the login form. I have this for that page:
<location path="service1.svc">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
From my understanding if a user is not authenticated (anonymous) and they try to access page1.svc then they would NOT get redirected to the login page, but in my app they still are.
Am I missing something here?
I figured it out! The way the Forms-authentication module works is that it checks any outgoing responses in the EndRequest method and if the status code is 401 (Unauthorized) then it changes the status code to 320 and redirects it to the Login Page. What happened in my case is I had a separate module that manipulated the response before the forms-auth page got a hold of it and occasionally set the status code to 401 to initiate an ntlm authentication exchange. But the forms-auth intercepted it before the exchange could happen.
The work around is to use the EndRequest method in the global.aspx file to set the status code back to 401 because the forms-auth had already manipulated it by this point. In my case instead of setting the status code to 401 in the first place I set it to 407 and then caught it in the endRequest method to change it back to 401 and avoid the forms-auth module all together.