Disable Basic-Authentication without IIS manager

Question

My ASP.NET MVC web application handles the authentication itself by explicitly sending the 401 status code and the www-authenticate header to make the browser display the basic authentication dialog.

My hosting provider doesn't provide access to the IIS manager and has the IIS BasicAuthenticationModule always enabled.

Unfortunately, the custom basic authentication implemented by my application is therefore now "hidden" by the IIS BasicAuthenticationModule. Any time I send a 401, the BasicAuthenticationModule seems to think it's his responsibility to handle the authentication. It also overrides the custom www-authenticate header of my application.

Is there a way to disable the IIS module for just my web application using the web.config only? I already tried adding the following settings to the web.config:

<configuration>
  <system.webServer>
    <modules>
      <remove name="BasicAuthenticationModule" />
    </modules>
  </system.webServer>
</configuration>

But that just generates a lock violation error. This setting didn't do the trick either:

<configuration>
  <system.web>
    <authentication mode="None" />
  </system.web>
</configuration>

Any other suggestions?

Answer 1

If you disable any authentication on IIS manager and check web.config, you will find that there is no configuration about authentication in it. Because configurations are saving in applicationhost.config file. That is why you need to use IIS manager.(Only administrator can use IIS manager)

But according to microsoft docs, you can use appcmd to configure these settings. This commits the configuration settings to the appropriate location section in the ApplicationHost.config file.

appcmd.exe set config "site name" -section:system.webServer/security/authentication/basicAuthentication /enabled:"False"  /commit:apphost