Use Anonymous authentication in MVC4 on single controller when the whole application uses Windows Authenticaion

22
votes

I have an MVC4 Web application which uses Windows Authentication, that is in web.config I have
<authentication mode="Windows" /> And that works fine and everything is ok.

However now I need a controller (an Web API controller in fact) that should be accessed anonymously from a third party component. The problem is that every time I want to invoke this method it requests user credentials.

I tried putting AllowAnonymous attribute to controller and methods but it was not successful.

[AllowAnonymous] public bool Get(string Called, string Calling, string CallID, int direction)

I checked on both IIS Express and IIS 8 with Anonymous authentication and Windows authentication enabled.

It seems that windows authentication precedes any other authentication and cannot be overridden.

Is there a way to accomplish this?

3
asp.net-mvc-4windows-authentication

3 Answers

19
votes

Add this to your Web.config. Here, my controller is named "WebhookController".

<location path="Webhook">
  <system.web>
    <authorization>
      <allow users="*"/>
    </authorization>
  </system.web>
</location>

See this KB article for more info.

Edit - As Erik mentioned below, in MVC applications you should not use web.config <authorization> tags for security. Instead, use [Authorize] attributes. Doing so will allow your [AllowAnonymous] attributes to work correctly. You can read more about this here.

7
votes

The accepted answer seems to be out of date, so...

In your web.config, remove these lines:

<authorization>
  <deny users="?" />
</authorization>

In the solution explorer, click your project, then click f4 (or open the properties explorer). Enable Anonymous Authentication.

Now you're free to use the Authorize and AllowAnonymous Attributes. They're pretty straightforward, Authorize means the user needs to be authorized in order to access the action or controller, AllowAnonymous means the opposite. If an unauthorized user attempts to access a controller or action with the Authorize attribute, they'll be redirected to a login page. If you put Authorize on a controller it applies to all the controller's actions, except ones with AllowAnonymous.

1
votes

web.config should not be touched as indicated here.

In order to achieve desired result AllowAnonymous and [Authorize] (and maybe some custom authorization attribute, if needed) should be used.

Steps to be performed:

  1. Ensure IIS has both Anonymous Authentication and Windows Authentication configured for the web application / web site

  2. All controllers should use [Authorize] attribute. This can be easily achieved if all inherit from a common controller class (e.g. BaseController / BaseApiController). E.g.:

    [Authorize]
public class BaseController : System.Web.Mvc.Controller
{

}


[Authorize]
public class BaseApiController : System.Web.Http.ApiController
{

}

  3. Add [AllowAnonymous] attribute to all actions that are supposed to be anonymous. E.g.:

    [RoutePrefix("Api/Anonymous")]
[Authorize]
public class AnonymousController : ApiController
{
    [HttpGet]
    [Route("GetServiceStatus")]
    [AllowAnonymous]
    public string GetServiceStatus()
    {
        return "OK";
    }
}