running asp.net intranet application on localhost asking for authentication

Question

I have an intranet application written int ASP.net core, when I run this application on localhost, I get a pop window asking me to authenticate and once I enter my domain name\my username and password then it authenticates me and lets me run the application. Basically, I enter my Windows username and password and then I can see the application. Below is the screen of what I am getting:

this is what I tried:

1. went to the folder where the application resides
2. right click on it and click on the properties
3. properties->Security tab and gave full control to myself. Below is the screenshot:

This is what I have in web.config file:

<?xml version="1.0" encoding="utf-8"?>
<configuration>

  <location path="." inheritInChildApplications="false">
    <system.webServer>
      <security>
        <authentication>
          <anonymousAuthentication enabled="false" />
          <windowsAuthentication enabled="true" />
        </authentication>
      </security>
    </system.webServer>
  </location>
  <runtime>
 
  </runtime>
</configuration>

this is my IISExpress settings:

This is my startup.cs file:

public class Startup
 {
     public IConfiguration Configuration { get; }
     private const string DefaultConnection = "DefaultConnection";
     public Startup(IConfiguration configuration)
     {
         Configuration = configuration;
     }
     public void ConfigureServices(IServiceCollection services)
     {
         services.AddDbContext<AckPackage.Data.AckContext>(options =>
             options.UseSqlServer(
                 Configuration.GetConnectionString(DefaultConnection)));
         services.Configure<CookiePolicyOptions>(options =>
         {
             // This lambda determines whether user consent for non-essential cookies is needed for a given request.
             options.CheckConsentNeeded = context => true;
             options.MinimumSameSitePolicy = SameSiteMode.None;
         });
         //services.AddAuthentication(options =>
         //{
         //    options.DefaultAuthenticateScheme = IISDefaults.AuthenticationScheme;
         //    options.DefaultChallengeScheme = IISDefaults.AuthenticationScheme;
         //});
         services.AddAuthentication(NegotiateDefaults.AuthenticationScheme)
           .AddNegotiate();
         services.AddAuthorization(options =>
         {
             options.FallbackPolicy = options.DefaultPolicy;
         });
         services.AddHttpContextAccessor();
         services.AddControllersWithViews();
         services.AddSingleton<IHttpContextAccessor, HttpContextAccessor>();
         services.AddDistributedMemoryCache();
         services.AddSession(options =>
         {
             options.IdleTimeout = TimeSpan.FromSeconds(120);
             options.Cookie.HttpOnly = true;
             options.Cookie.IsEssential = true;
         });
         services.AddRazorPages();
         //services.AddMvc().AddRazorRuntimeCompilation();
         services.BindingAppServices(Configuration);
         services.Configure<Microsoft.AspNetCore.Http.Features.FormOptions>(x =>
         {
             x.ValueLengthLimit = int.MaxValue;
             x.MultipartBodyLengthLimit = int.MaxValue; // In case of multipart
         });
     }
     public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
     {
         if (env.IsDevelopment())
         {
             app.UseDeveloperExceptionPage();
         }
         else
         {
             app.UseExceptionHandler("/Home/Error");
             // The default HSTS value is 30 days.
             app.UseHsts();
         }
         app.UseHttpsRedirection();
         app.UseStaticFiles();
         app.UseRouting();
         app.UseAuthentication();
         app.UseAuthorization();
         app.UseSession();
         app.UseEndpoints(endpoints =>
         {
             endpoints.MapControllerRoute(
                 name: "default",
                 pattern: "{controller=Employee}/{action=Create}/{id?}");
             endpoints.MapRazorPages();
         });
         // app.MapRazorPages();
     }

any help will be greatly appreciated.

Answer 1

This almost assuredly isn't a file permission issue. But it could be a couple of things that you'll need to check.

1. It could be a development certificate issue. Are you running in https mode, or just http? Do you load any certificates?
2. It's possible and probably the most likely scenario, is you're hosing it in IIS rather than IIS Express, or from the command line, and the IIS settings are setup for Windows Authentication.

Step one would be to try to host it from the command line / terminal.
Navigate to the root of your project (where the csproj is located) and type

dotnet run

And see if it'll host it - and run it and remove the authentication issue. If it does, then you have a good lead on the culprit.

EDIT

Based on the new screenshots and information, it sounds like you are attempting to automatically log in the user to their intranet (active directory??) username, so that you can utilize this in some way.

Give this a shot: https://learn.microsoft.com/en-us/aspnet/core/security/authentication/windowsauth?view=aspnetcore-8.0&tabs=visual-studio

Also note, that I've had countless issues getting AD authentication, even simple windows user auth, to work with IIS Express, you may want to switch over to actual IIS (which can be installed on your machine if it's not following this link) https://csharp-developer.com/step-by-step-guide-setting-up-iis-on-windows-11/

If you're not on windows 11, there are similar guides on getting it setup for your version of windows. Also: https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/iis/?view=aspnetcore-8.0

To host your dotnet core project in IIS instead of IIS express, I originally followed this guide, so that I knew the ins and outs...after going through it once it's a breeze https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/iis/?view=aspnetcore-8.0

Answer 2

(Edited based on new information)

That is a Basic Authentication modal popup - the browser shows that when the web server sends headers indicating that Authorization is required and that it accepts Basic Authentication . (Like this: How to display HTTP 401 basic authentication dialog)

Windows Authentication is how IIS implements Basic Authentication - it takes the username/password provided in response to the 401 challenge and actually tries to use those credentials to whatever Active Directory server(s) your web server is configured to use.

If you want your app to NOT prompt for username/password in this manner, enable Anonymous Authentication and disable Windows Authentication.