Windows Authentication support in ASP.NET 5 beta 8

Question

I have an ASP.NET 5 MVC 6 Web API project. Most of the API endpoints have the [Authorize] attribute, and Windows Authentication is enabled in both IIS and on the properties of the project in Visual Studio. This all works fine in beta 7.

In beta 8, however, this does not work. It's easy to reproduce this with a completely clean project:

1. Create a new project using the ASP.NET 5 Web API template.
2. Get properties on the project (not the solution), go to the Debug tab, enable Windows authentication and disable Anonymous. Save the changes.
3. Hit F5 and let it attempt to run the project.

Result:

An error occurred attempting to determine the process id of the DNX process hosting your application.

4. Now go back to the project properties and enable Anonymous. Leave Windows enabled as well. Save the change.
5. Go to your controller and add the [Authorize] attribute.
6. F5 again.

Result:

The project launches this time, but the web API returns a 500. Notice in the Output window:

Microsoft.AspNet.Mvc.Controllers.ControllerActionInvoker: Warning: Authorization failed for the request at filter 'Microsoft.AspNet.Mvc.Filters.AuthorizeFilter'.

The project also does not work when published to IIS.

As noted in the beta 8 announcement, the hosting model has changed such that IIS is now passing the request through to Kestrel. The Servers page doesn't give any indication that Kestrel supports Windows Authentication. Is there some trick to getting Windows Authentication working in beta 8?

Answer 1

Also in web.config you should set forwardWindowsAuthToken="true" e.g:

 <httpPlatform processPath="%DNX_PATH%" arguments="%DNX_ARGS%" forwardWindowsAuthToken="true" startupTimeLimit="3600" />

Answer 2

This seems to be a known bug in the Visual Studio debugging tooling when using IIS Express. Until that is fixed, the only workaround I've found is to debug by running through WebListener instead of IIS Express. To set this up, in your Configure method in Startup.cs add:

// If we're self-hosting, enable integrated authentication (if we're using
// IIS, this will be done at the IIS configuration level).
var listener = app.ServerFeatures.Get<WebListener>();
if (listener != null)
{
    listener.AuthenticationManager.AuthenticationSchemes = 
        AuthenticationSchemes.NTLM;
}

Then in project.json add a weblistener cmd as follows:

"commands": {
  "weblistener": "Microsoft.AspNet.Server.WebListener --config hosting.ini",
  "web": "Microsoft.AspNet.Server.Kestrel"
},

... or similar. Then if you debug using the weblistener profile instead of IIS Express (or web, which under Kestrel does not support NTLM), you should be able to carry on working while the IIS Express tooling bug is resolved. You'll need to add Microsoft.AspNet.Server.WebListener to your project.json dependencies to enable WebListener, I believe.

I found that if I changed the "web" command directly in project.json, Visual Studio helpfully changes it back rather aggressively, so adding a separate command as recommended by the Microsoft team seems to keep everything happy.

Answer 3

There's a known tooling bug that prevents you from disabling "anonymous authentication": https://github.com/aspnet/Hosting/issues/419.

Re-enable it and the issue you're seeing should disappear.

Make sure you've also added app.UseIISPlatformHandler(); early in your Configure method: it is needed to resolve the Windows identity corresponding to the token flowed by IIS.