Multiple/Different authentication settings in web.config

How would I go about setting different authentication tags for different parts of my web app? Say I have:

/
/folder1/
/folder2/

Would it be possible to specify different <authentication/> tags for each folder?

I want folder1 to use Windows authentication but folder2 use Forms authentication.

I tried doing in a <location/> tag but it doesn't look like you can have <authentication/> tags in a <location/> tags, at least not via VS 2008 with it's built in webserver.

This errors out saying - Error 3 It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS.

<location path="/folder1">
    <system.web>
      <authentication mode="Forms" />
      <authorization>
        <deny users="?"/>
      </authorization>
    </system.web>
  </location>

From stackoverflow

• I think you can set the forms authentication authorization on folder1 to

  <allow users="*" />
  

  then control the windows access via setting windows permissions on the folder.

  I haven't tried it, but I can't think of why that wouldn't work.

• These settings are only valid at the root level of your ASP.Net application. To use different settings in a sub folder you will need to go into IIS and set that sub folder to be a new application.

  Once you done this, the folder will have a different icon in the IIs manager. Inside your subfolder, create a new web.config file and add the new authentication settings there.

  More information available at Creating Applications.

  Tim Boland : Right, but it seems like in VS2008 debugger, it can't treat these subfolders as application folders, I'll need to test out by pushing to an IIS server

  Generic Error : If you are using the built in Visual Studio web server then yes, you are correct, you will need to set up the application in IIS.

• You can only have <authentication /> on the top level web.config. You may have to create multiple applications. ie you can create an application within an application and use different authentication modes in each one.