13

I have an ASP.NET web application that has Windows authentication enabled. I need to write an ASP.NET Web API controller in that application that uses some of the data access logic of the application. I don't want to create a new project for the Web API alone as I need to expose just a small end point that handles a couple of requests.

The Web API clients would consume the service anonymously. To allow this, I tried using AllowAnonymous action filter on both controller as well as the actions. But, when I try hitting the API using Fiddler, the request fails with status 401 saying "401 - Unauthorized: Access is denied due to invalid credentials".

Is there a way to achieve this?

Improve this question

4 Answers 4

Reset to default
15

I'm a bit late to the party, but ensure that Anonymous Authentication is enabled. Then add:

<configuration>
  ...
  <location path="api/...">
    <system.web>
      <authorization>
        <allow users="?"/>
      </authorization>
    </system.web>
  </location>
</configuration>

To your web.config.

I am assuming you have:

<system.web>
  ...
  <authentication mode="Windows" />
  <authorization>
    <deny users="?" />
  </authorization>
</system.web>

This worked for me.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Very important part - Check Anonymous Authentication is enabled, Thanks
9

Well - all controllers that need authentication need the Authorize attribute (that could be a global filter) - then use AllowAnonymous on the ones that don't need authN.

Then make sure anonymous authentication is enabled in IIS for the vdir - and also make sure there is no global authorize element in web.config.

Improve this answer

9 Comments

Do you mean adding a location element with path pointing to the virtual path? I tried that, but no luck.
No. Everything is happening at the controller level. Just make sure web.config has no authorization element and that anonymous authentication is enabled or allowed (at the IIS level).
Do I need to allow both windows and anonymous authentications at IIS level? If I do that, it doesn't assign AUTH_USER and LOGON_USER server variables, this is failing the windows authentication.
I know this is an old topic, but i am having the reverse issue, i need to authorise the connection to the controller to find out who the user is so that only certain data is returned. However, the this.User.Identity is empty... Any suggestions please
Hi @ozzy432836 - Sorry for delay, I sort of sorted it, not elegantly but it worked. What I did was that I created a new web app on IIS with Anonymous authentication. Means you have two URLs but as its an API I didn't see an issue with it.
|
3

The way I solved the problem, using Visual Studio 2015 and .NET 4.5.2, was to set the Web API project properties to have both Anonymous Authentication and Windows Authentication set to Enabled (note these will also have to be set in the IIS instance). Then within my controllers I decorated the methods that would require authentication with the [Authorize] attribute as well as the name of my custom authentication attribute.

This permitted the default configuration for the controller methods to accept anonymous calls and only the few special methods that required authentication had the extra decorators. I didn't have to add anything to the web.config or WebApiConfig.cs files. The Global.asax did have a call to my custom authentication static function which set global values.

Improve this answer

Comments

0

If after changing the settings are not working, try iisreset /start .

It worked for me: health webapi controller enabled to anonymous while all other webapi controllers and mvc controllers remained with ntlm windows authentication enabled. web config doesn't contain tag at all because the settings was done in IIS level. Windows authentication was enabled and Anonymous was disabled. (site level, authentication settings). webconfig:

<location path="api/health">
    <system.web>
      <authorization>
        <allow users="?" />
      </authorization>
    </system.web>
  </location>
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.