This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 38%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
I have an existing Web Api project build with .Net 4.8. In production, I have both Web Api and Angular based web site deployed in IIS in Windows 2022. The database, SQL Server 2017, is running on separate Windows 2022 machine. Both servers are in same domain. The web site is intranet type used by internal users only.
The Web version is a replacement to old Windows Form GUI. Currently both Windows Form GUI and Web version are connecting to same database.
Aim: When a domain user runs Windows Form GUI, database returns data based on domain user access rights. The Web Api is running with Anonymous authentication and the need is to implement Windows Authentication such that database knows domain user and returns data similar to Windows Forms . I couldn't find any detail instructions on internet how to achieve it in .Net4.8 project.
Constraint: Any changes to database is out of project scope.
Can someone help with right information how to implement Windows Auth in .Net4.8?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 36%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELH%3C/text%3E%3C/svg%3E)
Hi @Shastri, Shrinivas,
To enable Windows Authentication within an ASP.NET Application, you should make sure that you have “Integrated Windows Authentication” enabled within IIS for the application you are building.
The documentation below has detailed steps.
Integrated Windows Authentication
Windows Authentication <windowsAuthentication>
You should then add a web.config file to the root of your ASP.NET application that contains an <authentication> section that sets the mode to "Windows".
You should then also add the <authorization> section to the same web.config file to deny "anonymous" users access to the site. The specific configuration is as follows:
<configuration>
<system.web>
<authentication mode="Windows" />
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
Best regards,
Lan Huang
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 61%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
see the docs about IIS windows user impersonation:
also unless the webserver and sqlserver are on the same box, you will run into the one hop rule. so you will need to enable credentials delegation on webserver, and use kerberos for authentication:
you will run into the one hop rule. so you will need to enable credentials delegation on webserver
you mean ASP.NET Impoersantion Authentication enabled along with Windows Authentication in IIS? I was trying with code -
WindowsIdentity identity = WindowsIdentity.GetCurrent();
using (identity.Impersonate())
{
//call entity model function
}
use kerberos for authentication
For Windows Auth, should I run Web Api and Web Site (both are installed as separate in IIS) pools under a domain account or default ApplicationPoolIdentity and create SPN?
Thanks,
Sri
windows identity has a one hop rule.
if you used basic authentication, then the IIS identity token would be a primary and IIS could use the token to access an external resource. But with windows authentication, the browser has the primary token, and the one hop is to the IIS server.
you will need to use Kerberos and enable server credentials delegation on the its server.