If I set Windows Authentication to true in IIS7 and set Anonymous Authentication to false, I will get a WWW-Authenticate header. I assume this is the cue to the browser to popup the authentication dialog. I’m trying to figure out where in the ASP.NET pipeline the WWW-Authenticate header gets set (and what class is responsible for setting it it). I’ve done quite a bit of Googling and looking at WindowsAuthenticationModule and UrlAuthorizationModule in reflector but can’t seem to pinpoint it!
If I set Windows Authentication to true in IIS7 and set Anonymous Authentication to
Share
Several modules in IIS 7 perform tasks related to security in the request-processing pipeline. In addition, there are separate modules for each of the authentication schemes, which enable you to select modules for the types of authentication you want on your server.
The one you are looking for is the WindowsAuthenticationModule, which performs NTLM integrated authentication. It is located in Inetsrv\Authsspi.dll.
The picture below shows the HTTP request processing pipeline mechanism of IIS7.
For a complete in-depth elaboration, including the above material, visit: http://learn.iis.net/page.aspx/101/introduction-to-iis-7-architecture/
That should answer all your questions 🙂