In order for Windows Authentication to work with IIS Express, you need to change the value of the «Authentication» section in the System.webServer settings. Here is an example of how to do this:
- Go to File, then Options/Preferences and select Security.
- Under System, click on Customize. This will allow you to edit your system’s settings.
- Locate the «Authentication» section in the Customize dialog box, and double-click on it. This will open up a new window for editing.
- In the Authentication section, scroll down to the end of the page where it says «Windows Authenticated Applications». Look for a checkbox called «Allow Windows Authentication to work with IIS Express» and click the X icon next to it to remove the checkmark. This will enable Windows Authentication for your application.
- Save these changes by clicking on File, then OK/Apply or Cancel (depending on whether you’re happy with what you’ve done).
- Once you’ve made sure that this has been set correctly, open IIS Express and log in to the domain controller. You should now be authenticated as a user.
Suppose there’s a new developer, Mike, who is trying to replicate your process of enabling Windows Authentication for IIS Express with VS2010 SP1 BETA. However, he accidentally messed up his settings due to a programming error. He ended up setting the value for ‘Windows Authenticated Applications’ checkbox to TRUE instead of FALSE.
There’s a problem though: this caused a serious security breach and Mike is unable to retrieve his account credentials. He calls your team for help. Your task as an environmental scientist, is to identify the mistake and resolve it.
You remember that after enabling Windows Authentication, you need to update your ApplicationHostConfiguration file in order to correctly map the IIS Express’s settings with VS2010 SP1 BETA. You recall the following sequence of steps to fix this:
- Download an updated version of iis_web.sys from a trusted source, such as the Microsoft website or IIS’s own support team.
- Create and save this update in the current working directory with the name ‘iis_updated_file’.
- Open your System.webServer/WebServer-Setup dialog box and replace the text for iis_web.sys to include «iis_updated_file» instead.
- Save these settings.
- Log into your IIS Express server and see if you are now authenticated.
Question: What would be Mike’s steps based on this information to fix his issue?
First, Mike needs to locate the correct iis_web.sys file for download. He can do this by visiting a trusted source like the Microsoft website or IIS’s own support team page.
Then he must follow your suggested sequence of steps and replace «iis_web.sys» in his ApplicationHostConfiguration with «iis_updated_file». This will ensure that VS2010 SP1 BETA maps correctly with the new iis_web.sys file.
Next, he needs to log into IIS Express after this process to make sure authentication is working properly. If it doesn’t work, then his settings are not correctly updated and need to be revised again.
Lastly, if after all these steps Mike still can’t get authenticated, then he may have another programming error in VS2010 SP1 BETA that’s causing the security breach.
Answer: So based on this information, Mike needs to download iis_updated_file from a trusted source, replace «iis_web.sys» with «iis_updated_file» in his ApplicationHostConfiguration, log into IIS Express to test if authentication is working and review the rest of his system’s settings if the problem persists.
MVC4 has gone through some major changes in Windows Authentication functionality with IIS Express. In this article you will learn how to enable Windows Authentication in MVC4 Web Application on IIS Express. Just use the following procedure.
On the Cassini web server it was quite difficult to test Windows Authentication. It also doesn’t support SSL, URL Rewriting Rules and so on. With IIS Express as your development server you allows have full advantage of all web-server features (SSL, URL Rewrite Rules and so on). IIS is a full-fledged web-server, which means you’ll get an experience closer to what it will work like when you deploy the application on a production server.
Use the following procedure to enable this in MVC4.
Step 1
Create an MVC Web Application, preferably using an Internet Application template or Intranet Application template.
Step 2
Open the Web.config file and make the following modifications:
- <authentication mode=«Forms»>
- <forms loginUrl=«~/Account/Login» timeout=«2880» />
- </authentication>
- <authentication mode=«Windows» />
I just commented out the Form Authentication and added Windows Authentication.
Step 3
By default MVC apps use Form Authentication and Simple Membership, so you need to make it «false» to run Windows Authentication.
- <appSettings>
- <add key=«webpages:Version» value=«2.0.0.0» />
- <add key=«webpages:Enabled» value=«false» />
- <add key=«PreserveLoginUrl» value=«true» />
- <add key=«ClientValidationEnabled» value=«true» />
- <add key=«UnobtrusiveJavaScriptEnabled» value=«true» />
- <add key=«autoFormsAuthentication» value=«false» />
- <add key=«enableSimpleMembership» value=«false»/>
- </appSettings>
Step 4
Select the project name in Solution Explorer and then in the Property Explorer, click to enable Windows Authentication.
These settings are called development server settings that work with IIS Express and they don’t make any changes in the actual configuration settings.
Step 5
In the property explorer you can disable the Anonymous Authentication if you want your complete website for authenticated users on the development server.
Step 6
If you have already disabled the anonymous authentication as suggested in Step 5 above then you don’t need to do/repeat this step.
If you don’t then let’s go and make a controller action for authorized users, as given below.
Alternatively, you can use an [Authorize] action filter with the controller directly instead of individual action methods to make every action method for authorized users.
Step 7
Notice that in the step above I’m using an [Authorize] action filter with an «About» action. So, when I hit the about view page, I’ll be prompted to enter my Windows credentials.
When I entered my credentials and hit Login, I will see my Windows authentication working.
Step 8
For further reading, please watch this nice video by Shivprasad Koirala sir (Questpond) https://www.youtube.com/watch?v=x4hzVLZjfLM.
Hope this helps.
September 12, 2013 by Anuraj
.Net ASP.Net ASP.Net MVC Visual Studio
Unlike IIS Server, IIS Express doesn’t support Windows Authentication by default. You can enable the Windows Authentication in IIS Express by modifying the applicationhost.config under the “C:\Users[username]\Documents\IISExpress\config” directory. You need to find the windowsAuthentication element under authentication, and change the value of attribute enabled to true.
Happy Programming.
Copyright © 2025 Anuraj. Blog content licensed under the Creative Commons CC BY 2.5 | Unless otherwise stated or granted, code samples licensed under the MIT license. This is a personal blog. The opinions expressed here represent my own and not those of my employer. Powered by Jekyll. Hosted with ❤ by GitHub
21 September 2013
So I’m changing a site developed using Forms authentication to use Windows authentication, testing in IIS Express.
Thread.CurrentPrincipal.Identity.Name
The first thing to be aware of is that in Forms authentication you set the thread principal yourself when logging in. With Windows authentication Thread.CurrentPrincipal.Identity.Name is set automatically (as long as the rest of these instructions are correct). So nothing should have to be changed in the application code as long as you’re already using Thread.CurrentPrincipal.Identity.Name with the Forms authentication.
Web.config
The first step is to get rid of the Forms authentication section in the application’s Web.config. Mine looked like this:
<system.web>
...
<!-- Comment out this to disable Forms authentication -->
<authentication mode="Forms">
<forms loginUrl="/LogIn" timeout="30">
<credentials passwordFormat="Clear">
<user name="admin" password="test" />
<user name="state_admin" password="test" />
<user name="api" password="test" />
</credentials>
</forms>
</authentication>
</system.web>
IIS Express configuration
You can find the IIS Express configuration in X:\Users\your_account\Documents\IISExpress\config\applicationhost.config. First you need to find the name of the site. Search for the <sites> node and look for the site. It should be something like this:
<site name="YourSite" id="6">
<application path="/" applicationPool="Clr4IntegratedAppPool">
<virtualDirectory path="/" physicalPath="C:\source\YourSolution\src\YourSite.Web" />
</application>
<bindings>
<binding protocol="http" bindingInformation="*:57635:localhost" />
<binding protocol="http" bindingInformation="*:57635:192.168.80.103" />
</bindings>
</site>
This site’s name is YourSite. You need to add (or alter) the site’s system.webServer overrides. Search for location path="YourSite" but chances are you need to create a new one. Add this right at the bottom of the file, just before the closing </configuration> tag:
<location path="YourSite">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
That should be all that is required to enable Windows authentication in an IIS Express ASP.NET application.
Check the authentication mode
One thing you can change in the application code is a check for the authentication mode being used. This can be used to hide a “Log out” link for example. You can get the authentication mode using this method:
public AuthenticationMode GetAuthenticationMode()
{
var configuration = WebConfigurationManager.OpenWebConfiguration("/");
var authenticationSection = (AuthenticationSection)configuration.GetSection("system.web/authentication");
return authenticationSection.Mode;
}
Building upon the answer from booij boy, check if you checked the «windows authentication» feature in
Control Panel -> Programs -> Turn windows features on or of -> Internet Information Services -> World Wide Web Services -> Security
Also, there seems to be a big difference when using firefox or internet explorer.
After enabeling the «windows authentication» it works for me but only in IE.
Visual Studio 2010 SP1 and 2012 added support for IIS Express eliminating the need to edit angle brackets.
- If you haven’t already, right-click a web-flavored project and select «Use IIS Express…».
- Once complete, select the web project and press F4 to focus the Properties panel.
- Set the «Windows Authentication» property to Enabled, and the «Anonymous Authentication» property to Disabled.
I believe this solution is superior to the vikomall’s options.
- Option #1 is a global change for all IIS Express sites.
- Option #2 leaves development cruft in the web.config.
- Further, it will probably lead to an error when deployed to IIS 7.5 unless you follow the «unlock» procedure on your IIS server’s applicationHost.config.
The UI-based solution above uses site-specific location elements in IIS Express’s applicationHost.config leaving the app untouched.
More information here:
http://msdn.microsoft.com/en-us/magazine/hh288080.aspx
In addition to these great answers, in the context of an IISExpress dev environment, and in order to thwart the infamous «system.web/identity@impersonate» error, you can simply ensure the following setting is in place in your applicationhost.config file.
<configuration>
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
</system.webServer>
</configuration>
This will allow you more flexibility during development and testing, though be sure you understand the implications of using this setting in a production environment before doing so.
Helpful Posts:
- http://forums.iis.net/post/1873372.aspx
- http://www.iis.net/learn/application-frameworks/building-and-running-aspnet-applications/aspnet-20-breaking-changes-on-iis
option-1:
edit \My Documents\IISExpress\config\applicationhost.config file and enable windowsAuthentication, i.e:
<system.webServer>
...
<security>
...
<authentication>
<windowsAuthentication enabled="true" />
</authentication>
...
</security>
...
</system.webServer>
option-2:
Unlock windowsAuthentication section in \My Documents\IISExpress\config\applicationhost.config as follows
<add name="WindowsAuthenticationModule" lockItem="false" />
Alter override settings for the required authentication types to ‘Allow’
<sectionGroup name="security">
...
<sectionGroup name="system.webServer">
...
<sectionGroup name="authentication">
<section name="anonymousAuthentication" overrideModeDefault="Allow" />
...
<section name="windowsAuthentication" overrideModeDefault="Allow" />
</sectionGroup>
</sectionGroup>
Add following in the application’s web.config
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</configuration>
Below link may help:
http://learn.iis.net/page.aspx/376/delegating-configuration-to-webconfig-files/
After installing VS 2010 SP1 applying option 1 + 2 may be required to get windows authentication working. In addition, you may need to set anonymous authentication to false in IIS Express applicationhost.config:
<authentication>
<anonymousAuthentication enabled="false" userName="" />
for VS2015, the IIS Express applicationhost config file may be located here:
$(solutionDir)\.vs\config\applicationhost.config
and the <UseGlobalApplicationHostFile> option in the project file selects the default or solution-specific config file.