Reputation: 4303
Allow anonymous to ASP.NET Web API controller while rest of the application runs under windows authentication
I have an ASP.NET web application that has Windows authentication enabled. I need to write an ASP.NET Web API controller in that application that uses some of the data access logic of the application. I don't want to create a new project for the Web API alone as I need to expose just a small end point that handles a couple of requests.
The Web API clients would consume the service anonymously. To allow this, I tried using AllowAnonymous action filter on both controller as well as the actions. But, when I try hitting the API using Fiddler, the request fails with status 401 saying "401 - Unauthorized: Access is denied due to invalid credentials".
Is there a way to achieve this?
Upvotes: 13
Views: 42096
Answers (4)
Reputation: 908
If after changing the settings are not working, try iisreset /start .
It worked for me: health webapi controller enabled to anonymous while all other webapi controllers and mvc controllers remained with ntlm windows authentication enabled. web config doesn't contain tag at all because the settings was done in IIS level. Windows authentication was enabled and Anonymous was disabled. (site level, authentication settings). webconfig:
<location path="api/health">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
Upvotes: 0
Reputation: 1413
The way I solved the problem, using Visual Studio 2015 and .NET 4.5.2, was to set the Web API project properties to have both Anonymous Authentication and Windows Authentication set to Enabled (note these will also have to be set in the IIS instance). Then within my controllers I decorated the methods that would require authentication with the [Authorize] attribute as well as the name of my custom authentication attribute.
This permitted the default configuration for the controller methods to accept anonymous calls and only the few special methods that required authentication had the extra decorators. I didn't have to add anything to the web.config or WebApiConfig.cs files. The Global.asax did have a call to my custom authentication static function which set global values.
Upvotes: 3
Reputation: 1324
I'm a bit late to the party, but ensure that Anonymous Authentication is enabled. Then add:
<configuration>
...
<location path="api/...">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
</configuration>
To your web.config.
I am assuming you have:
<system.web>
...
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
</system.web>
This worked for me.
Upvotes: 15
Reputation: 18482
Well - all controllers that need authentication need the Authorize attribute (that could be a global filter) - then use AllowAnonymous on the ones that don't need authN.
Then make sure anonymous authentication is enabled in IIS for the vdir - and also make sure there is no global authorize element in web.config.
Upvotes: 9
Related Questions
- c# .net Web Api Windows and Anonymous Authentication get current user
- OWIN-hosted web api: using windows authentication and allow anonymous access
- How to enable Windows authentication for specific controller in ASP.Net Web API
- Call Web API from MVC Application with Integrated Windows Authentication
- How to call a Web API service from MVC using windows authentication?
- Allows anonymous application on ApiControllers
- Windows authentication in MVC app calling WebAPI
- Avoid Windows authentication depending on the controller or URL with WebAPI
- Windows authentication and Asp.Net Web API
- Web API anonymous service access with forms authentication