Authenticate using Windows Authentication on single action and not whole application

Question

I would like to authenticate using Windows Integrated Authentication on a single controller action instead of the global application. I have read many articles online and StackOverflow, but have not found an answer. Note, I'm developing in Web API 2.0 and not MVC.

That said, typically to enable Windows Authentication on your whole application, you'd do something like Web API documentation describes:

<system.web>
    <authentication mode="Windows" />
</system.web>

Under the covers, I'm not sure what this does exactly, but I have a suspicion I may be able to replicate it on a single controller action by implementing IAuthenticationFilter as described by Web API documentation. However, I have not found a conclusive article explaining how do to this for Windows Integrated Authentication.

Example of my goal:

At the end of the day, I would like my single web API to accept a request from a client configured to use windows authentication in either of the following client scenarios:

C#

var handler = new HttpClientHandler()
{
    UseDefaultCredentials = true
};

var client = new HttpClient(handler);

Browser

$.ajax({
    url: 'api/testauthentication',
    type: 'GET',
    dataType: 'json',
    xhrFields: {
        withCredentials: true
    }
})

Edit #1

It has come to my attention it's worth noting I would like to accomplish the above programmatically and not through configuration files such as web.config, IIS settings, etc. Also, I'm using OWIN to host the application on my servers.

Answer 1

Answer is based on this MSDN article.

Essentially, you can define a custom delegate method which specifies which requests to authenticate using Integrated Windows Authentication.

builder in the following code refers to the IAppBuilder instance used in "Startup" code of OWIN self-hosting. See OWIN self-host article for more details on this related topic.

OwinHttpListener httpListener = (OwinHttpListener)builder.Properties[typeof(OwinHttpListener).FullName];
httpListener.Listener.AuthenticationSchemeSelectorDelegate = new AuthenticationSchemeSelector(DetermineAuthenticationScheme);

Then define DetermineAuthenticationScheme delegate method similar to the following:

AuthenticationSchemes DetermineAuthenticationScheme( HttpListenerRequest request )
{
    if ( request == null )
    {
        throw new ArgumentNullException( "request" );
    }

    if ( request.RawUrl.IndexOf( "v1/foo", StringComparison.OrdinalIgnoreCase ) >= 0 )
    {
        return AuthenticationSchemes.IntegratedWindowsAuthentication;
    }

    return AuthenticationSchemes.Anonymous;
}

Answer 2

Have you seen the following post? http://www.scip.be/index.php?Page=ArticlesNET38. It appears to be fairly step by step. You didn't mention if you had deployed this or had this in IIS Express running through visual studio but the one part that stuck out to me was the setting change that was required in the IIS Configuration in “My Documents\IISExpress\config

  <windowsAuthentication enabled="true">

Note that it appears this solution only covers the browser based portion of your question. For the non browser based portion, I am assuming that you would have to have the application receive the 401 response.

It looks like there is already a stackoverflow post that covers the HttpClient authentication using local windows credentials

How to get HttpClient to pass credentials along with the request?