Introduction
Using Windows Authentication, users are authenticated in ASP.NET Core application with help of operating system. Windows Authentication is very useful in intranet applications where users are in the same domain.
Configure Windows authentication in ASP.net Core
The Visual Studio web application template has an option to configure Windows Authentication for the application. Using this template option, we can create a web application that supports Windows Authentication.
We can create core web application using Visual Studio by using the template. Select File >> New >> select ASP.NET Core Web Application, and change the authentication to Windows Authentication.
We can also configure the existing application for Windows Authentication by selecting the option of WA. To configure the authentication manually, open Visual Studio project properties >> go to Debug tab. It has the option to configure the same.
Alternatively, we can also configure Windows Authentication related properties into launchSettings.json file.
- {
- "iisSettings": {
- "windowsAuthentication": true,
- anonymousAuthentication": false,
- "iisExpress": {
- "applicationUrl": "http://localhost:26001/",
- "sslPort": 0
- }
- }
- }
Alternatively, we can create applications that support windows authentication by using command line. Using following command, we can create asp.net MVC core application with windows authentication.
- >dotnet new mvc --auth windows
Configure Windows authentication on IIS
IIS uses the ASP.net core module to host asp.net core application. This module flows windows authentication to IIS by default. It is also possible that windows authentication is done only at IIS, not in the application. Following are the steps to configure windows authentication in IIS
The first step is to create or add website and create the application pool that works with ASP.NET Core application. The next step is to customize the authentication going go to Feature view >> select "Authentication" module, and enable Windows Authentication.
Configure Windows authentication on HTTP.sys
HTTP.sys is a Windows-based web server for ASP.NET Core. It is an alternative to Kestrel Server and it has some features that are not supported by Kestrel, one of them is it support windows authentication. To enable windows authentication with
HTTP.sys server, it requires some configuration in Program class.
- public class Program
- {
- public static void Main(string[] args) =>
- BuildWebHost(args).Run();
-
- public static IWebHost BuildWebHost(string[] args) =>
- WebHost.CreateDefaultBuilder(args)
- .UseStartup<Startup>()
- .UseHttpSys(options =>
- {
- options.Authentication.Schemes =
- AuthenticationSchemes.NTLM | AuthenticationSchemes.Negotiate;
- options.Authentication.AllowAnonymous = false;
- })
- .Build();
- }
Windows Authentication
The attributes: "Authorize" and "AllowAnonymous" are used to determines access of anonymous in the application. There is no effect of these two attributes when Windows authentication is enabled, and anonymous access is disabled for the application. This is due to the fact that our request never reaches the application if the IIS or HTTP.sys is configured to disallow anonymous access. If both Windows authentication and anonymous access are enabled, the Authorize attribute allows us to secure the pieces of the application. The AllowAnonymous attribute overrides the behavior of Authorize attribute in the application. There is an additional configuration required in Startup class to challenge anonymous requests for Windows Authentication in ASP.NET Core 2.x.
The following code needs to be added to the ConfigureServices method of startup class if we are using IIS
- services.AddAuthentication(IISDefaults.AuthenticationScheme);
The following code needs to be added to the ConfigureServices method of startup class if we are using HTTP.sys server.
- services.AddAuthentication(HttpSysDefaults.AuthenticationScheme);
Summary
Windows Authentication is very useful in intranet applications where users are in the same domain. In this article, I have explained how to configure Windows Authentication in core application, IIS, and HTTP.sys. However, Kestrel doesn't support Windows Authentication.