I figured out what was happening in my previous post. It makes a bit more sense now that I have seen it, being able to just stop working on something is handy, basically the Rss feeds don’t do URL rewriting. So the call to /test1/Admin/ModeratedCommentRss.aspx uses the /web.config and would use the /test1/Admin/web.config, but it has no reason to look at the /Admin/web.config.

Not completely sure how I should change this. Right now I have the ModeratedCommentRss.aspx checking to see if the requestor is an Admin, and if not it calls FormsAuthentication.RedirectToLoginPage(). This works, but I would rather a solution that didn’t involve people needing to know to put the check in.

I also found this module helpful when I was figuring out where to do the conversion:  

public class DebugModule:System.Web.IHttpModule
{
    public EventHandler GetEventhandler(string name)
    {
        return new EventHandler(delegate(object sender, EventArgs e)
        {
            HttpApplication app = (HttpApplication)sender;
            HttpContext context = app.Context;
            if (context != null)
                Debug.WriteIf(context.Response.StatusCode == 302, "Redirecting - ");
            Debug.WriteLine(name);
        });
    }

    public void Init(HttpApplication app)
    {

        Debug.WriteLine("---------------------------------");
        Debug.WriteLine("Module Init");
        Type appType = app.GetType();
        EventInfo[] events = appType.GetEvents();
        foreach (EventInfo eventInfo in events)
        {
            eventInfo.AddEventHandler(app, GetEventhandler(eventInfo.Name));
        }
    }
}

I used that class and a small test web project to figure out how to change the FormsAuthentication over to Basic authentication (seems like mixed authentication should have already been there though). 

Of course shortly after I figured most of it out I saw the link to the MSDN article Phil Haack had posted for the feature request.