I have a web application which will be hosted in intranet IIS server. The requirement is that the Login endpoint should perform LDAPS authentication. In local dev environment everything went well. But when this is placed in real-time IIS server or in my local IIS Server , it is prompting for a sign in as shown in this image:
I don't want this to happen. I will allow requests from any windows user and my Authentication endpoint will take care of handling.
Where should I make changes? Is it in my .NET6 web api code or do the IIS Server settings need to be changed?
Steps I performed in IIS:
- I launched my local IIS server in Admin mode.
- In my site, I click on "Anuthentication" => Anonymous Authentication = disabled => Windows Authentication = Enabled;
- I tried check/uncheck on Extended protection and Enable-Kernel Mode.
Nothing helped here. The sign in prompt still exists.
I found a solution on the internet saying, Go to Control Panel => Internet Options => Internet => Authentication Logon => select Anuthenticate logon with current user and password, but this also did not work for me.
my .net6 program.cs code to handle CORS and Windows authentication is:
//c# .net6 code
var builder = WebApplication.CreateBuilder(args);
var corsOrigins = builder.Configuration["Cors:origins"].Split(",");//Taking origins from config. file
var corsMethods = builder.Configuration["Cors:methods"].Split(",");
builder.Services.AddCors(options =>
{
options.AddDefaultPolicy(builder =>
{
builder.WithOrigins(corsOrigins)
.AllowAnyHeader()
.WithMethods(corsMethods)
.AllowCredentials();
});
});
builder.Services.AddAuthentication(NegotiateDefaults.AuthenticationScheme)
.AddNegotiate();
builder.Services.AddAuthorization(options =>
{
// By default, all incoming requests will be authorized according to the default policy.
options.FallbackPolicy = options.DefaultPolicy;
});
Changes I made in IIS are also shown in this image:
.
Also, I don't have any roles/groups in IIS.
Finally, I don't want to get this automatic sign in event triggered on my API endpoints. The actual authentication logic to handle is already taken care by an Authentication endpoint by recognizing the windows identity of the user and performing LDAPS.
Please help me on this issue.
The thing to understand here is Windows Authentication is not LDAPS authentication. If you really want to do LDAPS, you need to allow Forms Authentication. This is what will let you build your own login page with a Form allowing the user to login. You then must also grant Anonymous access to the login page.