I have seen many confusion around setting authentication mode as windows in web.config and enabling Windows authentication at IIS.
First thing that there is no relation between setting authentication mode as windows at web.config and enabling/disabling (Integrated)Windows Authentication at IIS.
So lets discuss scenario by scenario.
Let’s say that I have enabled windows authentication of our application at IIS for my application and set the authentication mode as none in my web.config as
<authentication mode="None" />
Would everybody able to access the application?
Because on every request to the application first it goes to IIS and it tries to authenticate the request if the request gets authenticated then only it allows to access the application. So it does not matter here whether at our config we set the authentication as none the request will be forwarded to ASP.NET only when the request is authenticated.
To authenticate the request, one need to provide the domain credentials if it asks while accessing the application.Only the domain users will be able to access the application.
Now it is upto the ASP.NET whether it authenticates the request or not.
Now lets make it vice versa, enable anonymous authentication at IIS and set the authentication at web.config as
<authentication mode="Windows" /> <authorization> <deny users="?"/> </authorization>
then also when request is sent to the IIS, then it forwards the request to ASP.NET without the credentials because anonymous authentication is enabled at IIS. So in this ASP.NET does not receive the credential from the IIS and request will not be authorized and Access denied error will be shown to the user.
So you must have got an idea that here request get authenticated at two level IIS and ASP.NET application level.
In both the cases User will get the Access denied error and but the Access denied page will be different in both cases .
Access Denied error from IIS8 looks like
When we open the URL, then it prompts for a credential and if we don’t provide it then IIS gives the above error which shows the details that it is not authenticated at IIS.
And if we enable anonymous authentication at IIS, then ASP.NET throws error like
This simply shows that access is denied and shows unauthorized request.
So to use windows authentication for your application, if you want that IIS pass the credential to ASP.NET then you should enable the Windows Authentication at IIS and set authentication mode Windows at web.config.
Hope you have enjoyed this small post. I’ll write more posts on ASP.NET security.
Thanks & waiting for more posts.This post is very clear.
Realy I am always confused about the Security part in ASP.net.
Glad to know that you find it useful. I’ll be writing more posts in coming weeks
Pingback: IIS7 and Higher : system.webServer element ApplicationHost.config vs Web.config | Brij's arena of .NET
I enjoyed reading this post. Thanks a lot. 🙂
But the HTML inside the Code Blocks are rendered as encoded.
Can you please check and correct, so that it will appear as HTML.
Tadit Kumar Dash
Thanks a lot friend for pointing it out. Updated!!
No problem. 🙂