Windows Authentication using IIS Express with ASP.NET Core Web API

Microsoft has already written good detailing article on windows authentication with Web API, I recommended to go through that articles which explain various ways to implement windows authentication with ASP.NET Core Web APIs.

Here i'm going to cover about how to setup the windows authentications with ASP.NET Core Web APIs using IIS Express and consuming secure APIs via ASP.NET Core MVC Web apps.

Once you setup the Web API project mention in articles in IIS express sections, few more steps to follow in order to securing the APIs using windows authentications.

Update web.config file with below sections

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <location path="." inheritInChildApplications="false">
    <system.webServer>
      <security>
        <authentication>
          <anonymousAuthentication enabled="false" />
          <windowsAuthentication enabled="true" />
        </authentication>
      </security>
    </system.webServer>
  </location>
</configuration>

Update applicationhost.xml configuration file which reside in .vs folder

<section name="anonymousAuthentication" overrideModeDefault="Allow" />

Enabling authentication and authorization in startup files

public void ConfigureServices(IServiceCollection services)

{

        services.AddControllers();                                                                            services.AddAuthentication(IISDefaults.AuthenticationScheme);

}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{            
    app.UseAuthentication();
    app.UseAuthorization();
    app.UseEndpoints(endpoints =>
    {
        endpoints.MapControllers();
    });
}

And one more thing need to be adding Authorize attribute in top of the any action method which we want to secure Web APIs.

Now APIs are secure and we need to consume via Web Client, in order to do that first we need to enabling the CORS in out Web APIs otherwise we facing the cross domain errors.

In Web API startup, 

services.AddCors(options =>
{
	options.AddPolicy("AllowAllHeaders",
		  builder =>
		  {
			  builder.SetIsOriginAllowed(isOriginAllowed: _ => true).WithOrigins("https://localhost:44372/")
					 .AllowAnyHeader()
					 .AllowAnyMethod()
					 .AllowCredentials();
		  });
});

app.UseCors("AllowAllHeaders");

Now we all set to go and we can able to consumer the Web APIs.

We write the javascript which consume  Post API

 function addWthers() {

            var xhttp = new XMLHttpRequest();

            xhttp.open("POST", "https://localhost:44344/weatherforecast", true);

            xhttp.withCredentials = true;

            xhttp.send();

            xhttp.onreadystatechange = function () {

                if (xhttp.readyState === XMLHttpRequest.DONE) {

                    if (xhttp.status === 200)

                        console.log(xhttp.responseText);

                    else

                        console.log('There was a problem with the request.');

                }

            };

        }

We can consumer secure web apis with above approach.