0

If I create an ASP.NET Core + Angular project and enable Windows Authentication (following these instructions link) and debug it using IIS Express, why does the Angular app load if I open the browser with a local user (runas /user:MY-PC\local-user Chrome.exe) which is not in AD? Shouldn't IIS Express ask me for credentials?

If I publish to Local IIS (with Windows Authentication enabled and Windows Hosting Bundle installed) using Web Deploy I get the same result, Angular app loads and Local IIS does not ask for credentials. I tried splitting the project with ASP.NET Core API + Angular, but I got the same result. I had to implement an endpoint with some logic to return 401 (not network user), 403 (network user but not in my AD Group) and a Guard in Angular to avoid loading the Component and 401 and 403 pages.

However, when I did publish to IIS on the server (manually, I created the website and copied the files, and installed Windows Hosting Bundle), I realized the behavior is different, the Angular app is not loaded and IIS always asks for credentials. If I put wrong credentials or click on Cancel, IIS shows 401. With the correct credentials I can access and browser will remember them, but if I close and open the browser again, I need to re-enter my credentials, which is a bit annoying.

IIS Express and Local IIS never ask me for credentials when I open a normal browser (using my AD account).

Why does 'IIS on the server' behave differently than 'Local IIS' and 'IIS Express'?

jps
  • 20,041
  • 15
  • 75
  • 79
Luis Hernandez
  • 453
  • 5
  • 8
  • I would guess that because you are the super user server admin of your own computer, then anything in regards to active directory or just about anything else will "pass" authentication since you are the logged on user and admin of that computer. I suspect if you logged on to the actual server where you publish as an admin, and also launched a browser page while on that computer you would see the same results. So running the software and IIS and this being your computer that you logged into with full rights? Same probably would occur if you logged onto the server and did the same thing – Albert D. Kallal Mar 11 '21 at 02:17
  • Windows authentication does accept local Windows accounts, so I don't see any problems here. – Lex Li Mar 11 '21 at 02:19
  • Well, I solved part of the issue. I tried some setting from [here](https://stackoverflow.com/questions/5402381/receiving-login-prompt-using-integrated-windows-authentication) plus adding the URL to the Proxy's exception list in Internet Properties. Now using my user, the website loads without asking for credentials. For a local-user IIS is still prompting for credentials. – Luis Hernandez Mar 11 '21 at 03:52
  • Do you mean that there is a difference in behavior between the IIS on the server and the local IIS? – Ding Peng Mar 11 '21 at 05:52
  • Yes @DingPeng I updated the post a little bit – Luis Hernandez Mar 11 '21 at 20:55
  • This may be related to the operating system, there will be differences in Windows authentication between Windows operating systems: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dn169017(v=ws.10) – Ding Peng Mar 18 '21 at 06:25

0 Answers0