Windows Authentication in IIS Express

by Michael Szul on

At work, we integrate our LDAP instance and our LDAP groups into the security of our applications. Organization-wide, if your organizational ID made it into the LDAP instance, you'll have some form of access to the application. We further refine that by specifying groups that have more advanced access. Since logging into your computer logs you into the domain, for local development there is a desire to by-pass re-authenticating in favor of using Windows authentication.

In Visual Studio, this is pretty easy. Make sure the properties window is visible, and then click on the project in the explorer window. The properties window will show you the project properties, which will include both anonymous and windows authentication options.

If you are using IIS Express to serve your web application, this is actually a hook into the IIS Express configuration.

If you are not using Visual Studio, you won't have this handy GUI window, so what do you do?

First, locate the IIS Express applicationhost.config file. It is usually in your Documents folder in your user directory. Mine is located at C:\Users\micha\Documents\IISExpress\config.

This file acts as the user-specific global configuration for IIS Express. You'll want to make a couple of changes.

First, locate the authentication section, and make sure that the overrides for anonymous and windows authentication are set to "Allow" in the attributes. This will let you override the authentication in your Web.config file in your application.

<sectionGroup name="authentication">
          <section name="anonymousAuthentication" overrideModeDefault="Allow" />
          <section name="basicAuthentication" overrideModeDefault="Deny" />
          <section name="clientCertificateMappingAuthentication" overrideModeDefault="Deny" />
          <section name="digestAuthentication" overrideModeDefault="Deny" />
          <section name="iisClientCertificateMappingAuthentication" overrideModeDefault="Deny" />
          <section name="windowsAuthentication" overrideModeDefault="Allow" />
      </sectionGroup>
      

Next, find the system.webServer section where the modules are listed. Again, locate the ones for anonymous and windows authentication, and change the lock value to false:

<add name="AnonymousAuthenticationModule" lockItem="false" />
      <add name="WindowsAuthenticationModule" lockItem="false" />
      

Save this file, and close it. Now, inside of your application, add a security section to the system.webServer node in the Web.config file in order to override the default security values:

<security>
          <authentication>
              <windowsAuthentication enabled="true" />
              <anonymousAuthentication enabled="false" />
          </authentication>
      </security>
      

Now you can override the authentication values for windows and anonymous authentication inside of your Web.config. Assuming your browser allows for that authentication to pass through, you should be able to launch you application without re-authenticating.