We're working on a custom authentication module to hit a web service to see if a given username/password is allowed access to a certain folder, based on the leastprivileged guides.
At first we had issues where if we set the custom auth module to enabled, on a certain folder only, the entire site would then become password protected.
Doing 'Convert to Application' on the folder seems to fix this, then the rest of the site is unaffected but just that one folder (and all subfolders/files) throws up a login prompt like we want.
Furthermore, lets say we want /admin/ to be protected like this, but /admin/public/ should be wide open and not prompt anyone to log in. We can go to that /admin/public folder and set the custom authentication module to disabled, but it doesn't go into effect until we turn that folder into an Application as well.
The module shows up in the Authentication choices (i.e. next to Anonymous Authentication) on all folders regardless of if they are Applications
or not. Maybe the fact that it is a managed code authentication module is what's making turning folders into Applications necessary to make it behave properly? Just wondering if this is normal expected behavior or if we need to do some more fine tuning on our custom authentication module so turning folders into Applications is not required.
Windows 2008 R2, IIS 7.5, 64 bit
Thanks!