Using Windows Authentication in ASP.NET

Question

I'm trying to use Windows Authentication in my ASP.NET application. Whenever I try to view the app it sends me to a login page. How can I make it work without having to manually login via the browser?

web.config

  <system.web>
    <authentication mode="Windows"></authentication>
    <anonymousIdentification enabled="false"/>
    <authorization>
      <deny users="?" />
      <allow users="*" />
    </authorization>
    <customErrors mode="Off"></customErrors>
    <identity impersonate="true"></identity>
    <compilation debug="true" targetFramework="4.0" />
    <httpRuntime />
  </system.web>

error after updating IIS Express

Most likely causes:
No authentication protocol (including anonymous) is selected in IIS.
Only integrated authentication is enabled, and a client browser was used that does not support integrated authentication.
Integrated authentication is enabled and the request was sent through a proxy that changed the authentication headers before they reach the Web server.
The Web server is not configured for anonymous access and a required authorization header was not received.
The "configuration/system.webServer/authorization" configuration section may be explicitly denying the user access.

applicationhost.config

<authentication>
  <anonymousAuthentication enabled="false" />
  <basicAuthentication enabled="false" />
  <clientCertificateMappingAuthentication enabled="false" />
  <digestAuthentication enabled="false" />
  <iisClientCertificateMappingAuthentication enabled="false">
  </iisClientCertificateMappingAuthentication>

  <windowsAuthentication enabled="true">
    <providers>
      <add value="Negotiate" />
      <add value="NTLM" />
    </providers>
  </windowsAuthentication>
</authentication>

In IIS you need to turn off Anonymous Authentication and enable Windows Authentication. — user469104, Apr 29 '16 at 19:50
@user469104 I get the error above after configuring IIS express. — Antarr Byrd, Apr 29 '16 at 20:10
If I uncomment the providers section I'm right back to where I started — Antarr Byrd, Apr 29 '16 at 20:35
Entering a login page does not mean that Windows authentication failed. Learn how to use a tool such as Fiddler and it would tell you much more. — Lex Li, May 01 '16 at 14:41
What does the rest of your configuration file look like (minus sensitive information)? Do you have any "Location" tags? Also, have you tried closing Visual Studio, backing up, and deleting the ApplicationHost.config file? It will be recreated when you open VS. Then use Visual Studio to reconfigure your IISExpress settings. — DVK, May 06 '16 at 19:38

score 20 · Answer 1 · edited Mar 27 '19 at 08:39

Windows Authentication with IISExpress

Update your web.config

Make sure your web.config file both enables windows authentication and also denies anonymous authentication. HttpContext.Current.User.Identity.Name will be blank if the app falls through to anonymous authentication. Your config should look something like this:

<authentication mode="Windows" />
<authorization>
    <deny users="?"/>
</authorization>

Error 401.2 Unauthorized Sometimes, you might get the error 401.2 Unauthorized: Logon failed due to server configuration error. If you do, verify that you have permission to view this directory or page based on the credentials you supplied. Also make sure you have the authentication methods enabled on the Web server.

Updating applicationhost.config

You also might find you have to update the IISExpress applicationhost.config file (dont’ worry – I didn’t know it either). This is essentially the file version of the IIS configuration tool, where you can configure the web server itself. Finding the applicationhost.config file can be tricky. It might be in:

%userprofile%\documents\iisexpress\config\applicationhost.config

or

%userprofile%\my documents\iisexpress\config\applicationhost.config

Once you find it, update the following lines (paying special attention to enabled=true):

<windowsAuthentication enabled="true">
    <providers>
        <add value="Negotiate" />
        <add value="NTLM" />
    </providers>
</windowsAuthentication>

This is the article

When debugging in VS 2017, I found I needed to update [solution path]\.vs\config\applicationhost.config. I replaced the authentication element with: — dajo, Apr 06 '18 at 20:16
This solution worked for me, but I needed to update the config in the solution (as @dajo said) rather than the one given by the OP — Liath, Sep 25 '18 at 14:17
There is another config file in C:\Program Files\IIS Express\AppServer, no idea how all these work with each other so just changed them all and that seemed to work! — waxingsatirical, Oct 18 '18 at 13:02

score 11 · Answer 2 · answered May 05 '16 at 16:18

We use Windows authentication for almost all of our intranet apps, including SharePoint. Employees must login if their browser doesn't automatically send their Windows credentials automatically to the site.

On IE, this is a matter of the browser's configuration. I think there are also ways to configure Chrome and Firefox to send Windows login automatically. I think Chrome will follow Window's internet settings (on the client) just like IE. Try to set the User Authentication options to "Automatic Logon with current username and password".

See below screenshot for an illustration to where that is.

Also note that this involves the user's browser sending a Windows Token to the application. The application must understand and trust the source of this token, and this would work with the support of a "domain" in which both the user and application reside in. I think it will work on a single machine (while you are debugging), but if you want this to work on multiple computers on a network, you need to look into creating a domain. A typical way to create a domain is Active Directory.

Let me know.

score 9 · Answer 3 · answered Apr 06 '18 at 20:21

9

When debugging my web app in VS 2017, I found I needed to update [solution path]\.vs\config\applicationhost.config. I replaced the authentication section with:

        <authentication>
          <anonymousAuthentication enabled="false" userName="" />

          <basicAuthentication enabled="false" />

          <clientCertificateMappingAuthentication enabled="false" />

          <digestAuthentication enabled="false" />

          <iisClientCertificateMappingAuthentication enabled="false">
          </iisClientCertificateMappingAuthentication>

          <windowsAuthentication enabled="true">
            <providers>
              <add value="Negotiate" />
              <add value="NTLM" />
            </providers>
          </windowsAuthentication>

        </authentication>

More here: https://stackoverflow.com/a/4813716/555142

answered Apr 06 '18 at 20:21

dajo

909
10
16

This answer applies if the web application has been run prior to altering the ApplicationHost.config under the user profile. If the ApplicationHost.config under the user profile is ammended before the .vs folder is created for the web application then this isn't necessary – Mick Feb 19 '20 at 02:07
1

After wasting ~half a day enabling literally everything in %userprofile%\documents\iisexpress\config\applicationhost.config, I modified this file too and now it works. Thanks! – gyozo kudor Jun 29 '20 at 11:57
I had the same problem as `gyozo kudor` (see that comment) – derekbaker783 Mar 31 '21 at 17:42

score 3 · Answer 4 · answered May 02 '16 at 13:51

3

Open IIS (Windows + R 'inetmgr')
Select the IIS Server (Root Node)
Double Click - 'Authentication'
Windows Authentication - Right-click and select 'Enable'
Forms Authentication - Right-click and select 'Disable'
Restart the IIS Server

answered May 02 '16 at 13:51

Mihir Kale

1,028
1
12
20

1

I know i'm a bit late for this one but you need to disable all other types of authentications and keep only Windows Authentication. – Mihir Kale May 19 '16 at 12:45

score 3 · Accepted Answer · answered May 08 '16 at 20:43

3

I was able get it working by removing the negotiate provider.

  <windowsAuthentication enabled="true">
    <providers>
      <add value="NTLM" />
    </providers>
  </windowsAuthentication>

answered May 08 '16 at 20:43

Antarr Byrd

24,863
33
100
188

You could have also just changed the ordering such that NTLM was before Negotiate – Mick Feb 19 '20 at 02:08

Using Windows Authentication in ASP.NET

web.config

error after updating IIS Express

applicationhost.config

5 Answers5

Linked