Disable windows WWW-Authenticate challengeRSS

2 replies

Last post Sep 21, 2020 02:44 AM by Brucz

  • Disable windows WWW-Authenticate challenge

    Sep 18, 2020 12:20 PM|W.Ameling|LINK

    Hi,

    Currently I have an application where I only need windows authentication on particular endpoints, but since this is configured server wide this is currently not possible for me. For context, I have developed an ASP.NET Core application which returns 401 response when API endpoints are called without a JWT, but then IIS adds the WWW-Authenticate headers which I don't want.

    I would like to avoid creating a dedicated server to deal with windows authentication, because that really would decouple my application. As of my understanding this is currently not possible when windows authentication is enabled on the project, as this is project wide and not per endpoint based. If I am missing something, please let me know.

    I would like to suggest that an application can add some header IIS looks for, and when it is not present only then adds the WWW-Authenticate Negotiate and NTLM headers. So when I send for example the header X-Ignore-Windows-Authentication, IIS should remove this header and not attach the WWW-Authenticate headers.

    I look forward to replies about this idea, because this definitely increases flexibility of IIS. 

  • Re: Disable windows WWW-Authenticate challenge

    Sep 18, 2020 04:56 PM|lextm|LINK

    W.Ameling

    but since this is configured server wide

    Why cannot you disable Windows authentication at server level? By default it is disabled, so enabling it there is strange in the first place.

    Lex Li
    Affordable IIS Consulting Services at https://support.lextudio.com/services/consulting.html
    ---------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.
  • Re: Disable windows WWW-Authenticate challenge

    Sep 21, 2020 02:44 AM|Brucz|LINK

    Hi W.Ameling,

    IIS won’t add www-authenticate header unless you enable windows authentication. 


    If you turn on authentication for a specific endpoint, a better way is to use filters in the core instead of configuring in the scope of the iis server.


    Adding headers in IIS can be implemented in the Http Response Header, but these headers will always be displayed in the response. If you want to change the response header with logical judgment in different situations as you described, it should be set in the code.

    Best regards,
    Burcz