Recent days, I had debugged to find out: Why Application_AuthenticateRequest() method is called for all requests (I mean that included .css, .js,… requests), that didn’t exist before.
We are changing from form authentication to claim-based authentication. In source code for this change, we have:
This is reason, which I spent a day to detect it. 😦
Setting runAllManagedModulesForAllRequests to “true” is a best practice, but if we have handled modules well and performance is a critical then we can set it become “false”.