Can't access [Authorized] MVC method using Windows Authentication when debugging in Visual Studio 2013 using IIS Express 8.0

Question

I have 2 projects in the solution, a console app and the MVC project. The console app will fire a request to http://localhost:68220/MyMvcArea/MyMvcController/MyMvcMethod. The MyMvcMethod is decorated with [Authorized] attribute in the MVC controller.

Debugging was OK in Visual Studio 2010 and 2012 with the development server using Windows Authentication mode. Now I'm trying out Visual Studio 2013 with the same solution, I'm getting a 401 - Unauthorized response.

I enabled Windows Authentication for my MVC project in both the global applicationhost.config file and in the project properties, I can access to the method in a browser, but the console app still gets a 401 response. The console app is also running under my Windows account as I can verify it in the Task Manager.

Does anyone know how to get around with this? I only need this to work for the debugging IIS Express in Visual Studio.

Edit:

I've checked the IIS Express log, the sub-status code is 2. So according to MSDN, 401.2 refers to "Logon failed due to server configuration".

I may be missing the point, but the job of Authorized attribute is not to let anonymous users to execute the controller. I'm very surprised to hear that it worked in VS 2010 / VS 2012 - makes me thing you might be having a security hole. — Andrew Savinykh, Nov 13 '13 at 23:37
You are right zespri. I was wrong about the anonymous part. The web.config file of the project didn't have any authentication settings so I assumed that it was using anonymous mode. After some fiddling around, I realized that it was using Windows authentication by default. I've updated my question to reflect this. — Leon Zhou, Nov 13 '13 at 23:49

score 4 · Answer 1 · edited May 23 '17 at 10:28

4

I had the same issue. The short workaround is to allow Windows Authentication in IIS Express: "\Documents\IISExpress\config\applicationhost.config"

Change

<windowsAuthentication enabled="false">

To

<windowsAuthentication enabled="true">

As detailed here: Authentication issue when debugging in VS2013 - iis express

edited May 23 '17 at 10:28

Community

1
1

answered Nov 28 '13 at 14:44

chinupson

6,117
1
16
8

Actually my global config file already had it set to enabled: – Leon Zhou Dec 04 '13 at 04:15

Leon Zhou · Accepted Answer · 2015-05-07T01:21:42.530

1

I found a work around to this problem. When creating the web request in windows service, I need to explicitly set the credential:

request.Credentials = CredentialCache.DefaultNetworkCredentials;

However, we never needed to do this in VS2012, this looks a bit like a bug to me in the new version of IIS Express now.

Edit: The above line is needed before each request is sent to the server, for example:

var request = (HttpWebRequest)WebRequest.Create(url);
request.Credentials = CredentialCache.DefaultNetworkCredentials;
request.BeginGetResponse(AsyncResponseCallback, state);

edited May 07 '15 at 01:21

answered Dec 09 '13 at 00:58

Leon Zhou

633
6
20

1

Where did you place this in an MVC application? – Luminous Apr 28 '15 at 15:53
I should have been more specific about the location of the code. You need to do before sending your request to the server at client side. I have edited the answer to reflect this. – Leon Zhou May 07 '15 at 01:19

Can't access [Authorized] MVC method using Windows Authentication when debugging in Visual Studio 2013 using IIS Express 8.0

2 Answers2