Issue with SignalR + Windows Auth & Allow Anonymous Enabled RRS feed

  • Question

  • User-926756681 posted

    I have been experiencing issues using SignalR in a windows auth application which allows anonymous users.

    Application Specs:

    • MVC5
    • Web API 2.2
    • Global AuthorizeAttribute filters for both MVC and API Controllers
    • Web.config ony contains <authentication mode="Windows"> no <authorization> tag
    • Web Server has "Allow Anonymous" and "Windows Authentication" enabled
    • SignalR Hub has [Authorize] attribute on the only public method (not the class - but both scenarios have the same result)
    • Hub Connection happens on each page load when the MVC Page is served up


    When navigating between pages - randomly I get a 403 forbidden response when attempting to make a connection to the hub on page load. This does not happen on each page but does happen quite frequently.

    In Fiddler the response says:

    "Unrecognized user identity.  The user identity cannot change during an active SignalR connection."

    Chrome console will spit out a:

    "failed: Error during WebSocket handshake: Unexpected response code: 403"

    There issue does not exist when disabling "Allow Anonymous" on the web server and adding the following lines to the web.config:


    <deny users="?"/>


    I need allow anonymous to work so I can create an external endpoint to be called from one of our other applications. 

    I've been searching all over and can't find much - please help.

    SignalR Version: 2.2.0

    Thursday, June 4, 2015 12:02 PM


All replies

  • User1644755831 posted

    Hello dmazz55,

    Please see this article. http://www.asp.net/web-api/overview/security/authentication-and-authorization-in-aspnet-web-api

    Please try to set AllowAnonymousAttribute for the get methods.

    As Per article Alternatively, you can restrict the controller and then allow anonymous access to specific actions, by using the  AllowAnonymousAttribute. In the following example, the POST method is restricted, but the GET method allows anonymous access.

    public class ValuesController : ApiController
        public HttpResponseMessage Get() { ... }
        public HttpResponseMessage Post() { ... }

    Hope this helps.

    With Regards,

    Krunal Parekh

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, June 8, 2015 3:31 AM
  • User400823961 posted

    We're experiencing the same issue described here.  Just to be clear, are you recommending disabling anonymous access on the web server and then only allowing anonymous access to specific actions as an override?  Any idea what is actually causing the issue within the SignalR infrastructure and is there possibly a fix in the works?

    Thursday, June 18, 2015 4:04 PM