question

HoKevin-3728 avatar image
0 Votes"
HoKevin-3728 asked BruceZhang-MSFT commented

OAuth authentication is need enable IIS anonymous authentication to work ?

I have a website use OAuth, but in IIS if i disable anonymous authentication, the website auth not work, for OAuth is it need enable anonymous authentication ? and any security concern for enable anonymous authentication ?

windows-server-iis
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

BruceZhang-MSFT avatar image
0 Votes"
BruceZhang-MSFT answered BruceZhang-MSFT commented

Hi @HoKevin-3728 ,

You need to enable anonymous authentication or any other at least one authentication. Authentication in IIS is triggered before OAuth. After this verification is passed, the request can be processed by asp.net and passed to OAuth to generate the token.

You can think of it as restricting your access to files in the application. When it has access to these files, the OAuth code in the files can run and check the token.


If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Best regards,
Bruce Zhang


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Bruce

Thanks for you information, i have one more question about have security impact if use anonymous authentication ?

0 Votes 0 ·

Hi @HoKevin-3728 ,

I think it is safe because it gives users access to the public areas of your Web or FTP site without prompting them for a user name or password.

Usually we will set up user management modules in the application to ensure that some data is accessed by users with credentials. The user module will set the login registration page, and the login registration page needs to allow anonymous access at this time. In this case, you can say that its protection of data is secure, but it also uses anonymous access.

If you worry about security, you can use windows authentication. It will ask users to provide windows account and verify it before issue token.

1 Vote 1 ·