I'm developing an ASP.net Core 6 web api where I want to use windows authentication (NTLM) to authenticate calls.
So, following the MS documentation, I've installed the Microsoft.AspNetCore.Authentication.Negotiate Nuget package. Then, I've configured my startup class like this:
public void ConfigureServices(IServiceCollection services){
...
services.AddAuthentication(NegotiateDefaults.AuthenticationScheme)
.AddNegotiate();
services.AddAuthorization();
}
and in then in the Configure method:
public void Configure(IApplicationBuilder app){
...
app.UseAuthentication();
app.UseAuthorization();
}
Finally, I've decorated the controller actions I want to protect like this:
[Authorize(AuthenticationSchemes = NegotiateDefaults.AuthenticationScheme)]
[HttpGet("test")]
public string Test()
{
return User.Identity.Name;
}
I've then tried to navigate to that endpoint with my browser, running on the same machine as the webapp and reaching it via localhost. This is when the problem happens, with two strange behaviors:
- The browser asks for credentials (classic username/password popup), even though I'm running client and server on the same machine
- If I click "cancel" without providing any credentials the controller action executes anyway and the user IS AUTHENTICATED
So, the automatic authentication is working correctly "under the hood", the only problem is that the browser for some reason still asks for credentials even though it doesn't need them.
Why is this happening? I've tried with Chrome, Edge and FF and they all behave like this.
