Disable windows WWW-Authenticate challenge RRS feed

  • Question

  • User33430421 posted


    Currently I have an application where I only need windows authentication on particular endpoints, but since this is configured server wide this is currently not possible for me. For context, I have developed an ASP.NET Core application which returns 401 response when API endpoints are called without a JWT, but then IIS adds the WWW-Authenticate headers which I don't want.

    I would like to avoid creating a dedicated server to deal with windows authentication, because that really would decouple my application. As of my understanding this is currently not possible when windows authentication is enabled on the project, as this is project wide and not per endpoint based. If I am missing something, please let me know.

    I would like to suggest that an application can add some header IIS looks for, and when it is not present only then adds the WWW-Authenticate Negotiate and NTLM headers. So when I send for example the header X-Ignore-Windows-Authentication, IIS should remove this header and not attach the WWW-Authenticate headers.

    I look forward to replies about this idea, because this definitely increases flexibility of IIS. 

    Friday, September 18, 2020 12:20 PM

All replies

  • User690216013 posted

    but since this is configured server wide

    Why cannot you disable Windows authentication at server level? By default it is disabled, so enabling it there is strange in the first place.

    Friday, September 18, 2020 4:56 PM
  • User1771714573 posted

    Hi W.Ameling,

    IIS won’t add www-authenticate header unless you enable windows authentication. 

    If you turn on authentication for a specific endpoint, a better way is to use filters in the core instead of configuring in the scope of the iis server.

    Adding headers in IIS can be implemented in the Http Response Header, but these headers will always be displayed in the response. If you want to change the response header with logical judgment in different situations as you described, it should be set in the code.

    Best regards,

    Monday, September 21, 2020 2:44 AM