Allow anonymous to ASP.NET Web API controller while rest of the application runs under windows authentication

Question

I have an ASP.NET web application that has Windows authentication enabled. I need to write an ASP.NET Web API controller in that application that uses some of the data access logic of the application. I don't want to create a new project for the Web API alone as I need to expose just a small end point that handles a couple of requests.

The Web API clients would consume the service anonymously. To allow this, I tried using AllowAnonymous action filter on both controller as well as the actions. But, when I try hitting the API using Fiddler, the request fails with status 401 saying "401 - Unauthorized: Access is denied due to invalid credentials".

Is there a way to achieve this?

Answer 1

I'm a bit late to the party, but ensure that Anonymous Authentication is enabled. Then add:

<configuration>
  ...
  <location path="api/...">
    <system.web>
      <authorization>
        <allow users="?"/>
      </authorization>
    </system.web>
  </location>
</configuration>

To your web.config.

I am assuming you have:

<system.web>
  ...
  <authentication mode="Windows" />
  <authorization>
    <deny users="?" />
  </authorization>
</system.web>

This worked for me.

Answer 2

Well - all controllers that need authentication need the Authorize attribute (that could be a global filter) - then use AllowAnonymous on the ones that don't need authN.

Then make sure anonymous authentication is enabled in IIS for the vdir - and also make sure there is no global authorize element in web.config.

Answer 3

The way I solved the problem, using Visual Studio 2015 and .NET 4.5.2, was to set the Web API project properties to have both Anonymous Authentication and Windows Authentication set to Enabled (note these will also have to be set in the IIS instance). Then within my controllers I decorated the methods that would require authentication with the [Authorize] attribute as well as the name of my custom authentication attribute.

This permitted the default configuration for the controller methods to accept anonymous calls and only the few special methods that required authentication had the extra decorators. I didn't have to add anything to the web.config or WebApiConfig.cs files. The Global.asax did have a call to my custom authentication static function which set global values.