tl/dr: can I stop DNN from using Forms Authentication for some requests so 401 responses reach the client?
We have two websites that we want to share a domain name .. one DNN 7.3 site and a .NET MVC style project. Each are in their own independent Site in IIS. The DNN site is bound to port 80 and the main domain name, with rewrite rules in the web.config that redirect requests to /api/* to the other Site. Using the advanced management UI from https://dnnurlmanagement.codeplex.com/ we have been able to stop the DNN Friendly URL module from intercepting requests, and get the web.config rewrite rules to work.
Unfortunately, when our API chooses to respond with 401 Unauthorized, for example when you try to log in with an invalid password, the 401 response is intercepted by the Forms Authentication HttpModule in DNN and changed to a 302 Found redirect to the login page. This seems very well documented and led me to the MADAM library at https://msdn.microsoft.com/en-us/library/aa479391.aspx
It seems clear that the order of processing for typical unauthorized requests, e.g. to the Admin site in DNN when not logged on, is:
1/ Forms Authentication is enabled
2/ URL Authorization scheme decides if a request is to be served or denied, and may respond with 401.
3/ Forms Authentication intercepts this and turns the 401 into a 302 with Location header pointing to Login page.
MADAM promises to offer the ability to replace the normal Forms Authentication scheme with a more configurable option so you can decide when to perform step 3 above, and when not to.
We installed MADAM and carefully configured it to not use Forms Authentication for requests to api/* but are still getting 302 responses. We looked at outbound rewrite rules, but they cannot change the response status code.
I see in the DNN site's web.config there are suspicious lines like:
<!-- register local configuration handlers -->
<section name="authentication" requirePermission="false" type="DotNetNuke.Framework.Providers.ProviderConfigurationHandler, DotNetNuke" />
This makes me feel DNN may be completely taking over the Forms Authentication handling and MADAM has no chance to operate, but I cannot tell for sure.
Is it possible to get our 401 response returned to the client unaltered? Is MADAM the right approach to use?