Different authentication mode for different areas

Question

I have two portions of a website I am working on: one that uses normal forms authentication and another that uses an HMAC-based authentication. The forms based one works just as normal (except using a custom membership provider).

The most frustrating thing is that by default, if one decides to use the forms authentication it redirects all 401 responses to the loginUrl specified in the root Web.config under the authentication tag. In an effort to turn this off for the HMAC portion of my site I have created a separate area that those controllers live in. However, no matter where I put a <authentication mode="None"></authentication> tag (whether it be in the area/views Web.config, a Web.config I have placed in the area folder, or under a location tag in the root Web.config (doing that actually causes an error about that tag not belonging there)) I cannot seem to make this thing stop redirecting all 401s to the loginUrl.

Any assistance would be greatly appreciated as this is making me tear my hair out.

By the way, this question has been asked different ways at least 2 times with no (viable) responses. While mine focuses on setting the authentication mode to None,theirs generally focused on changing roles for paths (which in my opinion is easier to do with the [Authorize(Roles="role1,role2,role3")] attribute on each method) which makes my question a little different. If this is impossible, please also tell me so that I can figure out a better way to do this.

Answer 1

The authentication Element (ASP.NET Settings Schema) is only valid at the application level. You cannot have different authentication modes in the same application.

You can, however, specify a location Element (ASP.NET Settings Schema) to a specific area and specify an authorization Element (ASP.NET Settings Schema) inside it that allows anonymous users. You can also place an authorization element in a web.config file under a child directory of the application.

In order to use two different authentication schemes, you'll have to convert that area into a separate application. It can, if you wish, still be a child of the parent application, but there are some caveats. One of the caveats, of course, is that session state will not be shared between the two applications.

Also, see the Nested ASP.NET 'application' within IIS inheriting parent config values? question and ASP.NET Configuration File Hierarchy and Inheritance.