HttpContext.Current.User is null even though Windows Authentication is on

Question

In IIS7 under Windows Server 2008, I have a virtual directory with anonymous access off and Windows authentication on. In my web.config, I have:

Answer 1

Anonymous access must be on if you don't use ssl or something your own security.

Answer 2

The answer to of moving the Application Pool back to classical is just delaying the problem.

Instead leave the application pool alone and move your authenticate check from Application_AuthenticateRequest(), to the next function in the pipeline:

Application_AuthorizeRequest(object sender, EventArgs e)

By then the integrated Application Pool has completed the windows authentication allow you not to receive null from HttpContext.Current.User.

The pipeline can be found here (link provided by CarlosAg).

A visualization of the pipeline can be found on the asp website message lifecycle page. In the controller section checkout the two green boxes "Authentication filters" and "Authorization filters". These are the areas you are messing with.

Answer 3

With IIS 7 and asp.net 4.0 the user was still null within Application_AuthenticateRequest() (object sender, EventArgs e). I had to place all authentication logic within the Application_PostAuthenticateRequest() (object sender, EventArgs e). You can see an example here context-user-is-null-in-application-authenticaterequest-via-windows-auth-in-asp

Answer 4

II7 has integrated authentication. You can set it back to the old type by changing the Application Pool back to classical in the basic settings in IIS.

*Caution this is just an explanation and example, you may want to use the integrated authentication and do something different.