Running IdentityServer3 in IIS with Anonymous authentication disabled - authentication

Is it possible to run IdentityServer3 in IIS (hosted in IIS) with only Windows Authentication enabled? Is it mandatory to have anonymous authentication also enabled? if so, why anonymous authentication is required?
I am running "MVC OWIN Client (Hybrid)" sample application and try to access the IdentityServer3, which is configured only with Windows Authentication in IIS. I am getting response as unauthorized, looks like "MVC OWIN Client (Hybrid)" sample is trying to access the ../dentityServer3/.well-known/openid-configuration' and failing, because anonymous is disabled.
Any suggestions?

The Microsoft OpenID Connect middleware makes a request to the discovery endpoint to download issuer metadata. This assumes that anonymous access is enabled.
You'd need to statically configure the middleware instead. You try to configure a BackChannelHandler that has Windows authentication enabled. Should work but haven't tried yet.

Related

Can you Windows Auth to Basic Auth?

I'm developing a blazor web application that will use windows authentication. The web application requires data from another web service. Basic authentication is required on the web service. The web application and web service are in the same domain using the same domain for authentication. Is there a way to take the windows auth credential that the web application will possess and convert it to the basic auth required by the web service?
I am aware that the windows auth credential does not contain the password and basic auth needs a password. I cannot change the authentication scheme of the web service. I cannot spin up a new instance of the web service with a different authentication mechanism. I can't use basic authentication for the web application. The web service requires that the web application connects with it using the logged in users credentials for logging purposes ie. can't just use a service account to connect to the web service. I am open to using a different authentication mechanism for the web application with comparable security to windows auth if it will work, SSO preferred.
I believe this is technically infeasible but would welcome any evidence to the contrary.

Deploy Azure AD WebAPI to IIS, with Windows Authentication enabled, skips Azure AD Authentication

I have a WebAPI that I have successfully secured with Azure AD. When I run it locally (through Visual Studio), trying to access the WebAPI end point via a browser gives me
Authorization has been denied for this request.
Which is what I would expect. Accessing the WebAPI through a client with ADAL library works as it should. A forms login screen pops up, and authenticates me and passes back a token, which I can then use in my WebAPI requests.
Something I wouldn't expect happens if I deploy the WebAPI to an IIS server, and have Windows Authentication enabled for the site. When I try to hit it the IIS WebAPI end point through a browser, I get a Windows Authentication prompt. If I successfully authenticate the Windows Authentication, the WebAPI serves the response.
I guess I would expect that the WebAPI would return the same "Authorization has been denied for this request". Windows Authentication shouldn't authenticate me to the WebAPI if I've configured the WebAPI to use Azure AD authentication.
My question is, is this expected behaviour, and if so, why?
I can see from one perspective that the WebAPI can accept authentication from any method that I've configured. But part of me thinks that since the Azure AD authentication is configured in the WebAPI application, and not IIS, it should take precedence.

MVC web API identity impersonation

HI all I am developing a web API that will be using identity impersonation (using always the same functional identity valid in my domain) to check the status of configuration files of some servers. To do that, I add this to my web.config file
I also set my IIS server to neglate anonymous authentication and accept windows authentication for web service. However when I try to access the status of the files from a browser I noticed that the API is still using NT AUTHORITY\NETWORK SERVICE as the user and, of course, the access to the remote files is denied. Does anyone have an idea of what am I missing?
Thanks
My fault, forgot to set the Authentication mode to Windows in web.config

Basic Authentication in REST WCF

I have developed one REST WCF and would like to client will use it with basic Authentication, I have hosted this service in IIS 7.0 and disabled all authentication except Basic Authentication.
Now problem is that when call this service from any other application (in my case i am calling this from ruby command prompt) with Header "Basic bXlhZGRvbjpDcFplcUc5MzlHdDZQMEtD" although i was not able to authenticate this service.
Make it more simple , when i will access this service (.svc) from browser due to basic Authentication
it will prompt to enter username & password , so which residential i need to pass here and to which credential i need to compare (weather i need to set in web.config or IIS)??
Thanks in Advance
Arun.
For basic authentication, IIS would always try to validate the userName & Password as a windows users (either local or domain user).
Dominick has created a Basic Http Authentication module which let's you use other credential stores with Basic Authentication.
http://www.leastprivilege.com/HTTPBasicAuthenticationAgainstNonWindowsAccountsInIISASPNETPart3AddingWCFSupport.aspx

Authentication Required while sending a request to IIS from Objective-C

I have a iPad application. In which I am making a proxy object using WCF data services(OData).
While initializing an object I am getting authentication required error. My service is authentication configured as windows authentication on the IIS 7.0.
Can anyone help me, How can I send windows credentials to get access of all the verbs (POST,GET,DELETE and etc.) ?
You must configure your service for anonymous access (or Basic authentication) if you want to access it from iPad. Windows authentication is only for devices which are part of your windows domain (or for local authentication).