I have an intranet application using windows authentication that works great. Now I have a requirement to expose an Api area. This area should use basic authentication but to keep things easy I am first just trying to make this area allowed to anonymous.
I am using IIS 7.5 and it is configured like this:
IIS > My Intranet Site > Authentication > Windows Authentication Enabled,
everything else Disabled
in the application root web.config I have
<authentication mode="Windows"></authentication>
All the intranet controllers (except for Api Area) inherit from a BaseController that have an AuthorizeAttribute
I tried adding
<location path="~/Api">
<system.web>
<authentication mode="None" />
</system.web>
</location>
In the web.config for the API area, but no go, still get prompted for credentials.
My application structure looks like this
-IntranetApp
--Controllers
--Areas
----Area1
----Area2
----Api
All should be using Windows Authentication except for Api area.
Thanks for any help/pointers.
I don’t know details, but the way I’ve seen “mixed” authentication done is two web applications. The one with windows authentication enabled will then use the ASP membership API to authenticate the user(and automatically create a username if necessary using information from domain account) and then redirect to the other site. Both site’s membership config share the same application ID, keys, etc.
You are probably running into this:
“you cannot achieve this within a single application because in IIS once you set up Windows authentication for a virtual directory it will no longer accept users from different domains.”
See this for more information on setting up one version of this:
ASP.NET MVC and mixed mode authentication