#StackBounty: #iis #windows-authentication Configure an IIS 10 ASP.NET MVC app to allow only specific domain user to access "/api/…

Bounty: 50

This is on Windows Server 2019, the web app is a ASP.NET MVC app (.NET FW 4.6)

I’m not sure how to debug this.

  • The AppPool runs under a Managed Service Account! (not that it helps using AppPoolIdentity 😐 )
  • I’ve enabled/installed Windows and URL Authentication (disabled all else)
  • I can access all other urls, but not the API ones when I add the below
  • Server and client are in the same domain (MYDOMAIN)
  • Getting the same response from any web browser (We have Windows auth working on a ASP.NET Core on another server from the same browser, but that is for the entire site, not just part of it)
  • NTLM provider is used, kernel mode and extended protection turned off

The config looks like this:

  <location path="API">
        <allow users="MYDOMAINusername" />
        <deny users="*" />
        <deny users="?" />

The app has it’s own login (forms) but I need to use windows login just to restrict API access:

<authentication mode="Windows">
  <forms loginUrl="~/Account/Login" timeout="180" slidingExpiration="true" />

We’d really like to avoid any coding here, just config, if possible.

Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.