ASP.NET Web Service inside Forms Authentication Application

Question

I have an existing ASP.NET application that implements Forms Authentication site-wide. The application is deployed in multiple instances (e.g., customer1, customer2, test, dev, etc...), with a separate database per instance. SSL is in play. Instance configuration is via an XML config file.

I have a new requirement to allow upload/download of certain data, which I would like to implement as a public web service.

My initial thought here was to selectively disable forms authentication for a subdirectory of the application (e.g., ~/Services), and then do authentication via a SOAP header or similar.

However, I'm not finding a way to selectively disable forms auth.

Question: Is there a way to do this? I've tried the <location> tag in web config to no avail.

If not, what are your recommendations for how to set this up? I can think of the following options:

1) Create a new "Services" project in my solution, and then configure a separate IIS ASP.NET application on that directory in each instance. (Pro: easy access to instance configuration, which may be needed in the future. Con: configuration burden for each relevant instance).

2) Create a separate "Services" solution that references needed assemblies from the application solution and host it as a separate ASP.NET application. Then, lookup the db connection string based on the UserName provided in SOAP Header. (Pro: single app to configure in IIS. Con: No easy access to instance config.)

3) ??

Clarification: I did see the answer here: Override ASP.NET forms authentication for a single page, but the use of a location tag is not helping (requests for the web service are still redirected). The relevant sections in my web.config look like this:

<system.web>
  <authentication mode="Forms">
    <forms loginUrl="Login.aspx"/>
  </authentication>
  <authorization>
    <deny users="?"/>
    <allow users="*"/>
  </authorization>
</system.web>

<location path="~/Services/MyService.asmx">
  <system.web>
    <authentication mode="None" />
    <authorization>
      <allow users="*" />
    </authorization>
  </system.web>
</location>

Answer 1

I would think the location tag would work, where you specify the services folder and allow all users, something like:

<location path="services">
      <system.web>
         <authorization>
            <allow users="*"/>
         </authorization>
      </system.web>
</location>

But you said that didn't work, have you tried putting a web.config file in the services folder and disabling forms authentication and allowing all users in that file?