22

I have an MVC4 Web application which uses Windows Authentication, that is in web.config I have
<authentication mode="Windows" /> And that works fine and everything is ok.

However now I need a controller (an Web API controller in fact) that should be accessed anonymously from a third party component. The problem is that every time I want to invoke this method it requests user credentials.

I tried putting AllowAnonymous attribute to controller and methods but it was not successful.

[AllowAnonymous] public bool Get(string Called, string Calling, string CallID, int direction)

I checked on both IIS Express and IIS 8 with Anonymous authentication and Windows authentication enabled.

It seems that windows authentication precedes any other authentication and cannot be overridden.

Is there a way to accomplish this?

Plamen Ignatov
  • 612
  • 1
  • 7
  • 17

3 Answers3

19

Add this to your Web.config. Here, my controller is named "WebhookController".

<location path="Webhook">
  <system.web>
    <authorization>
      <allow users="*"/>
    </authorization>
  </system.web>
</location>

See this KB article for more info.

Edit - As Erik mentioned below, in MVC applications you should not use web.config <authorization> tags for security. Instead, use [Authorize] attributes. Doing so will allow your [AllowAnonymous] attributes to work correctly. You can read more about this here.

Cavyn VonDeylen
  • 4,189
  • 9
  • 37
  • 52
  • 1
    I don't think this will work for me. This setting is overridden by '' and the web site still requires user name and password in order to access. Apart from that I am using MVC and such configuration settings in web.config might not always help because of routing. – Plamen Ignatov Mar 19 '13 at 16:37
  • It works for me. I'm also using `` with MVC3. I haven't setup any special routing rules though. You may need to mess with the location path. – Cavyn VonDeylen Mar 19 '13 at 17:36
  • Giving it a second try - it works. It seems `AllowAnonymous` attribute is not sufficient with windows authentication and 'location` tag is what works best. Thanks for pointing me what might be the right solution for the problem! – Plamen Ignatov Mar 20 '13 at 07:51
  • 1
    +1 This fixed a problem I was having. Although we used `` instead to allow anonymous users. – Matt Griffiths Jan 21 '14 at 17:20
  • 1
    The problem with use Web.config location for security is that this has to match all possible URL's that could be used to access a URL. When you consider default routing, that could mean you have to create a lot of location entries. – Erik Funkenbusch Apr 02 '14 at 19:20
7

The accepted answer seems to be out of date, so...

In your web.config, remove these lines:

<authorization>
  <deny users="?" />
</authorization>

In the solution explorer, click your project, then click f4 (or open the properties explorer). Enable Anonymous Authentication.

Now you're free to use the Authorize and AllowAnonymous Attributes. They're pretty straightforward, Authorize means the user needs to be authorized in order to access the action or controller, AllowAnonymous means the opposite. If an unauthorized user attempts to access a controller or action with the Authorize attribute, they'll be redirected to a login page. If you put Authorize on a controller it applies to all the controller's actions, except ones with AllowAnonymous.

Adam R. Grey
  • 1,861
  • 17
  • 30
1

web.config should not be touched as indicated here.

In order to achieve desired result AllowAnonymous and [Authorize] (and maybe some custom authorization attribute, if needed) should be used.

Steps to be performed:

  1. Ensure IIS has both Anonymous Authentication and Windows Authentication configured for the web application / web site

  2. All controllers should use [Authorize] attribute. This can be easily achieved if all inherit from a common controller class (e.g. BaseController / BaseApiController). E.g.:

    [Authorize]
public class BaseController : System.Web.Mvc.Controller
{

}


[Authorize]
public class BaseApiController : System.Web.Http.ApiController
{

}

  3. Add [AllowAnonymous] attribute to all actions that are supposed to be anonymous. E.g.:

    [RoutePrefix("Api/Anonymous")]
[Authorize]
public class AnonymousController : ApiController
{
    [HttpGet]
    [Route("GetServiceStatus")]
    [AllowAnonymous]
    public string GetServiceStatus()
    {
        return "OK";
    }
}
Alexei - check Codidact
  • 22,016
  • 16
  • 145
  • 164