ASPNetWindowsAuthProvider - Unauthorized

     I'm trying to setup an ASPNetWindowsAuthProvider and I've looked though various threads and tried different things, but continue to get Unauthorized.  I added the ASPNetWindowsAuthProvider and added the following bit to the client to get the local credentials I believe.

Tried this…
client.Credentials = CredentialCache.DefaultCredentials;

and this…
client.RequestFilter = req => {
req.Credentials = CredentialCache.DefaultCredentials;
};

Does it compare against an AuthRepository? Or just strictly use IIS to authenticate token. I’m running VS2015 with IIS Express and tried configuring it based on what I found.

I also added the LoadUserAuthFilter but the method doesn’t get called. Just looking for some direction or maybe get pointed to a good example of setting this up. Maybe I’m missing something simple.

Thanks for the help.

It sets up an Auth User Session using Windows Authentication which you’ll need to enable in IIS.

I figured out my IIS Express issue and now it is authenticating on IIS. The problem I’m running into is I register some accounts in the AuthRepository for validating through Basic authentication. With those loaded I get the following error when calling a service with the Windows Credentials loaded. Stepping through the LoadUserAuthFilter gets called but once it leaves that method an unhandled exception is raised. Is it not possible to run with ASPNetWindowsAuthProvider and BasicAuthentication Provider? Or do I have to Register a user in the AuthRepository during the LoadUserAuthFilter method? If so what information do a I register for the ASPNetWindowsAuthProvider? Thanks

Here’s the exception information. The Stack Trace gets cut off.

Message:
“Value cannot be null.\r\nParameter name: key”

Stack:
StackTrace = " at ServiceStack.Auth.InMemoryAuthRepository.InMemoryClientFacade.GetValueFromHash(String hashId, String key)\r\n at ServiceStack.Auth.RedisAuthRepository`2.GetAuthProviderByUserId(IRedisClientFacade redis, String provider, String userId)\r\n at Serv…

Can’t tell what the issue is from here, if you can put together a stand-alone repro I can take a look.

Are you using ServiceStack Basic Auth e.g. the BasicAuthProvider as that validates users against the User Auth Repository, i.e. it doesn’t use Windows Auth. So not sure if you’re trying to use Basic Auth + ASP.NET Windows Auth together for the same account?

I’m trying to provide two authentication options. The BasicAuth is using the InMemoryAuth Repository to validate against and the ASPNetWindowsAuth is validated by IIS. The BasicAuth would pass a User and API Key in the password field. However the first service call made which uses the ASPNetWindowsAuth gives me the exception I listed. If I comment out registering and loading the InMemoryAuthRepository the ASPNetWindowsAuth doesn’t error out and I call call services needing authentication. Those two should be able to work side by side correct?

To recreate all you have to do is load the ASPNetWindowsAuth and load the InMemoryAuthRepository(). When you call the first service it will error out right after the LoadUserAuthFilter returns. So you don’t need BasicAuth loaded it seems to be strictly related to those two.

_appHost.LoadPlugin(new AuthFeature(() => new AuthUserSession(),
new IAuthProvider[]
{
new AspNetWindowsAuthProvider(_appHost) {
AllowAllWindowsAuthUsers = true,
LoadUserAuthFilter = LoadUserAuthInfo
}
}));

var container = _appHost.GetContainer();
container.Register(c => new InMemoryAuthRepository());
IAuthRepository repo = container.Resolve();
repo.InitSchema();

Ok found an issue when using AspNetWindowsAuthProvider with a configured User Auth Repository which should now be resolved from v4.5.9 that’s now available on MyGet.

Thanks so much Demis for the quick follow-ups and resolution!

What would the IIS setup for an application supporting both Basic credentials and Windows Authentication look like? I’m struggling to get this configured correctly.

In IIS on my application I have both Anonymous and Windows Authentication enabled at the root of my application. Since Anonymous authentication is always satisfied I am never presented with a challenge for my Windows credentials by IIS.

Does this scenario require the use of two separate IIS applications, one configured for Anonymous authentication and another for Windows authentication?

You’d need to allow only Windows Auth (i.e not allow Anonymous Auth) in order to force Windows Auth.

Thanks for following up. In our scenario we would like to support both users who are on a corporate domain, as well as users who are outside and not part of a trusted domain. Obviously configuring only Windows Authentication on the entire application in IIS will not work because the external users do not have a domain account.

What we were hoping is that we could point corporate domain users to auth\windowsauth, which would challenge users for their domain credentials and the endpoint would authenticate using those credentials. For users outside of the domain we would just simply point them to auth/credentials and they would supply their user/password combo.

In an ordinary asp.net style application I think this is normally possible by configuring the auth\windowsauth directory in IIS to ONLY allow Windows Authentication. The rest of the application in IIS would be configured to use anonymous authentication so that it is accessible for everyone as long as they have been authenticated (either via Windows authentication or basic authentication).

However you would do it with ASP.NET is no different to how you would do it with ServiceStack which is itself just an ASP.NET App. But if you allow Anon access it’s not going to prompt for credentials since it doesn’t have to.