June 20, 2025 08:06 by
PeterWith the aid of the operating system, users are authorized in ASP.NET Core applications using Windows Authentication. In intranet applications when users are in the same domain, Windows authentication is particularly helpful.
Set up ASP.net Core's Windows authentication
Configuring Windows Authentication for the application is an option in the Visual Studio web application template. We can make a web application that supports Windows Authentication by using this template option. With Visual Studio, we can use the template to develop a core web application. Change the authentication to Windows Authentication after selecting File >> New >> ASP.NET Core Web Application.
By choosing the WA option, we can also set up the current application for Windows Authentication. Open Visual Studio project properties and select the Debug tab to manually configure the authentication. It can be configured in the same way.
Alternatively, we can also configure Windows Authentication related properties into launchSettings.json file.
{
"iisSettings": {
"windowsAuthentication": true,
anonymousAuthentication": false,
"iisExpress": {
"applicationUrl": "http://localhost:26001/",
"sslPort": 0
}
}
}
Alternatively, we can create applications that support windows authentication by using command line. Using following command, we can create asp.net MVC core application with windows authentication.
>dotnet new mvc --auth windows
Configure Windows authentication on IIS
IIS uses the ASP.net core module to host asp.net core application. This module flows windows authentication to IIS by default. It is also possible that windows authentication is done only at IIS, not in the application. Following are the steps to configure windows authentication in IIS
The first step is to create or add website and create the application pool that works with ASP.NET Core application. The next step is to customize the authentication going go to Feature view >> select "Authentication" module, and enable Windows Authentication.
Configure Windows authentication on HTTP.sys
HTTP.sys is a Windows-based web server for ASP.NET Core. It is an alternative to Kestrel Server and it has some features that are not supported by Kestrel, one of them is it support windows authentication. To enable windows authentication with HTTP.sys server, it requires some configuration in Program class.
public class Program
{
public static void Main(string[] args) =>
BuildWebHost(args).Run();
public static IWebHost BuildWebHost(string[] args) =>
WebHost.CreateDefaultBuilder(args)
.UseStartup<Startup>()
.UseHttpSys(options =>
{
options.Authentication.Schemes =
AuthenticationSchemes.NTLM | AuthenticationSchemes.Negotiate;
options.Authentication.AllowAnonymous = false;
})
.Build();
}
Windows Authentication
The attributes: "Authorize" and "AllowAnonymous" are used to determines access of anonymous in the application. There is no effect of these two attributes when Windows authentication is enabled, and anonymous access is disabled for the application. This is due to the fact that our request never reaches the application if the IIS or HTTP.sys is configured to disallow anonymous access. If both Windows authentication and anonymous access are enabled, the Authorize attribute allows us to secure the pieces of the application. The AllowAnonymous attribute overrides the behavior of Authorize attribute in the application. There is an additional configuration required in Startup class to challenge anonymous requests for Windows Authentication in ASP.NET Core 2.x.
The following code needs to be added to the ConfigureServices method of startup class if we are using IIS
services.AddAuthentication(IISDefaults.AuthenticationScheme);
The following code needs to be added to the ConfigureServices method of startup class if we are using HTTP.sys server.
services.AddAuthentication(HttpSysDefaults.AuthenticationScheme);
Summary
Windows Authentication is very useful in intranet applications where users are in the same domain. In this article, I have explained how to configure Windows Authentication in core application, IIS, and HTTP.sys. However, Kestrel doesn't support Windows Authentication.