IIS 7 and Above
Disable windows WWW-Authenticate challenge
Last post Sep 21, 2020 02:44 AM by Brucz
Sep 18, 2020 12:20 PM|W.Ameling|LINK
Currently I have an application where I only need windows authentication on particular endpoints, but since this is configured server wide this is currently not possible for me. For context, I have developed an ASP.NET Core application which returns 401
response when API endpoints are called without a JWT, but then IIS adds the WWW-Authenticate headers which I don't want.
I would like to avoid creating a dedicated server to deal with windows authentication, because that really would decouple my application. As of my understanding this is currently not possible when windows authentication is enabled on the project, as this
is project wide and not per endpoint based. If I am missing something, please let me know.
I would like to suggest that an application can add some header IIS looks for, and when it is not present only then adds the WWW-Authenticate Negotiate and NTLM headers. So when I send for example the header X-Ignore-Windows-Authentication, IIS should remove
this header and not attach the WWW-Authenticate headers.
I look forward to replies about this idea, because this definitely increases flexibility of IIS.
Sep 18, 2020 04:56 PM|lextm|LINK
but since this is configured server wide
Why cannot you disable Windows authentication at server level? By default it is disabled, so enabling it there is strange in the first place.
Sep 21, 2020 02:44 AM|Brucz|LINK
IIS won’t add www-authenticate header unless you enable windows authentication.
If you turn on authentication for a specific endpoint, a better way is to use filters in the core instead of configuring in the scope of the iis server.
Adding headers in IIS can be implemented in the Http Response Header, but these headers will always be displayed in the response. If you want to change the response header with logical judgment in different situations as you described, it should be set in the