2

To start with, I had an Angular app that uses the angular-auth-oidc-client client library to initiate the Idenity Server 4 authentication (authorization code flow with PKCE), using Facebook en Microsoft Account providers. That all works perfectly fine, running locally under IIS Express.

Now I wanted to add windows authentication as well. So I added this to the launchsettings:

"iisSettings": {
  "windowsAuthentication": true,
}

...and in the Startup of IdentityServer:

services.Configure<IISOptions>(iis => {
            iis.AuthenticationDisplayName = "Windows";
            iis.AutomaticAuthentication = true;
});

If I then triggered Windows Authentication, the Challenge method of the ExternalController was executed, and in the Callback I received automatically my windows user, it did not ask to enter credentials (working under Windows 10), so this worked perfectly as well.

Now, when I try to do the same under IIS (and I enable Windows Authentication in IIS), instead of automatically logging on with my windows user, I get a popup:

enter image description here

So it seems that under IIS, Windows Authentication works differently because it asks for my credentials instead of using the one from the logged in windows user.

If I read the docs, I see that Kestrel or WebListener should be used. Is it really a requirement to use Kestrel or WebListener in order to get Windows Authentication in IIS working? Or am I missing something else?

EDIT: I'l trying this locally on my windows 10 laptop, and I'm not in a domain.

L-Four
  • 13,345
  • 9
  • 65
  • 109
  • Have you configured your IIS web.config to actually forward the Windows token to your .NET Core server: https://stackoverflow.com/a/42163175/6827240 ? – Daboul Jan 28 '20 at 09:12
  • @Daboul I added it, but no difference – L-Four Jan 28 '20 at 13:21
  • Application hosted in IIS and express are totally different. When you host application in IIS express, code executed under login user and its placed in application session. When you host it in IIS, code executed under application pool identity and session 0 which are isolated from other com service. – Jokies Ding Jan 29 '20 at 08:51
  • @JokiesDing Thank you for your comment! I was suspecting this, thanks for the confirmation. Tomorrow I will do the same test on a laptop that is actually in the domain to see whether it can authenticate with windows account without that credentials popup; I suppose that the fact that I was doing this on a windows 10 laptop in a workgroup (no domain) also is affecting this? – L-Four Jan 29 '20 at 18:04

1 Answers1

0

In the meantime, I have deployed my components on a domain laptop (using IIS) to see whether it behaves differently; and indeed, there is does a silent SSO instead of asking for credentials. So this means that on my non-domain laptop it asked for credentials because I was not in a domain.

L-Four
  • 13,345
  • 9
  • 65
  • 109