0

I'm working on an ASP.NET Core web application deployed on IIS, with two Controllers. The action methods under one controller are used by an intranet application so the controller uses windows authentication while the action methods under the other controller may be used from outside the intranet, thus the controller uses bearer token authorization.

The authentication for both controllers works fine, until one point. If the bearer token authentication fails for an action method (for example, in case the bearer token expired) then I'm getting a popup from the browser asking for credentials because IIS is sending back WWW-Authenticate: Negotiate and WWW-Authenticate: NTLM in the response headers. I assume this is happening because windows authentication is enabled in IIS per the entire web application. (I should probably specify that I have Anonymous Authentication enabled in IIS too).

Is there a way to prevent IIS from sending WWW-Authenticate: Negotiate and WWW-Authenticate: NTLM in the response headers when the bearer token authentication fails for action methods that do not use windows authentication?

I can replicate this very easily with a Startup class like the one below:

    public class Startup
    {
        public Startup(IConfiguration configuration)
        {
            Configuration = configuration;
        }

        public IConfiguration Configuration { get; }

        public void ConfigureServices(IServiceCollection services)
        {
            services.AddControllers();
            services.AddAuthentication().AddJwtBearer();
        }

        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }

            app.UseHttpsRedirection();
            app.UseRouting();
            app.UseAuthorization();
            app.UseEndpoints(endpoints =>
            {
                endpoints.MapControllers();
            });
        }
    }

and a controller like the one below:

 [Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]
    [Route("[controller]")]
    [ApiController]
    public class BearerController : ControllerBase
    {
        // GET: /Bearer
        [HttpGet]
        public IEnumerable<string> Get()
        {
            return new string[] { "value1", "value2" };
        }
    }

What I tried so far was setting the DefaultChallengScheme, DefaultForbidScheme, DefaultSignInScheme to JwtBearerDefaults.AuthenticationScheme from the callback passed to the services.AddAuthentication method but with no success.

I also looked into disabling windows authentication for the controller that is not using it by changing the web.config of my web application but I did not find a way to disable it only for an URL path but just for the entire web application.

vicch
  • 564
  • 3
  • 10
  • 25
  • Taking a quick look at this, I think (quick guess to give you at least a hint to try out)... you'll have to create custom [Authorize] and/or ActionFilterAttribute to deal with this. or at least on the windows-controller one. see https://stackoverflow.com/questions/38751104/web-api-authorize-at-controller-or-action-level-no-authentication to say another way.. after you do the configuration for how [Authorize] is working..i don't think it can be "this or that"...its meant for the same consistency across all controller/method with the [Authorize] attribute – granadaCoder Jul 17 '20 at 15:28
  • Please refer to the below links for help. https://stackoverflow.com/questions/53327905/asp-net-core-jwt-windows-authentication-http-400-error https://github.com/aspnet/Security/issues/1853 https://github.com/aspnet/Security/issues/1711 – Abraham Qian Jul 24 '20 at 10:37

0 Answers0