Web API 2 Windows authentication keeps prompting for login

Question

I have a basic Web API 2 setup with Visual Studio 2015 along with IIS 10.0 on Windows 10. 401 requests (Window authentication) keeps prompting me for a login. I can login and it accepts my credentials but nothing that I do gets rid of this prompt.

I have:

Added <authentication mode="Windows" /> into web.config under <system.web>
Disabled anonymous authentication through IIS
Enabled Windows authentication through IIS

Is there something I need to add into my controller or WebApiConfig to request a URL like /api/core/getweatherdata without bring prompted for a login?

use authPersistSingleRequest or change ie settings? see: [http://www.scip.be/index.php?Page=ArticlesNET38](http://www.scip.be/index.php?Page=ArticlesNET38) — aspark, Oct 31 '16 at 10:35
That didn't work. I've tried with 3 browsers, Chrome, Firefox, and Edge. — undefined, Oct 31 '16 at 12:02
try the answers on this thread: http://stackoverflow.com/questions/5402381/receiving-login-prompt-using-integrated-windows-authentication — CodingYoshi, Nov 05 '16 at 19:06

score 1 · Answer 1 · answered Nov 06 '16 at 23:41

The prompt window which appears on windows authentication is highly likely because of 401 Access Denied

While I am not sure about some mandatory questions to be able to tell the exact same reason like

A- what authentication provider is being used here?

B- Do you need Kerberos or not? are you using a custom identity or not?

I believe using Kerberos authentication as a provider with Windows Authentication is the best option and to do it please ensure you did all the below steps carefully in a right way

1- Create a custom account on Active Directory, delegate this account from the delegate tab on AD Properties to ensure it can user Kerberos

2- use this custom identity as an app pool custom identity user, go to application pools, choose your app pool, right click, custom identity and set the user you just created.

3- go to application authentication tab, disable all authentication providers including impersonation (not only anonymous) except windows authentication

4- right click on Windows Authentication, choose providers, and choose "Negotiate/Kerberos" as primary provider below it "Negotiate" Authentication Providers

5- Set Service principle name, open CMD, set SPN to the service account such that if service account is "lab\testuser" and server domain is "server1A" and its FQDN (Fully Qualified Domain Name) is "server1A.test.com" type the below command:

setspn -s server1A lab\testuser
setspn -s server1.test.com testuser

it is really important to clear Kerberos cache ticket as well because manytimes you will make changes and you won't see it took any effect except after clearing the cache, so you need to use [KLIST tool][3] to clear it by typing the command klist purge

then you need to clear the DNS cache, restart IIS by typing the commands below on CMD "Run as admin"

ipconfig/flushdns
iisreset

Good Luck, please let me know if you have any further questions, if you need clarification for anything

score 0 · Answer 2 · answered Oct 31 '16 at 16:00

I can think of two situations this may occur.

IIS App Pool user is not set correctly and doesn't know what\who to impersonate. (IIRC it should be set to NETWORK SERVICE) Reference Here.
The address you are using is not an intranet one it then asks for authentication. Reference Here

score 0 · Answer 3 · answered Nov 01 '16 at 12:49

You most likely just need to change settings on your computer. For Windows authentication to work without prompts, you need to configure your internet options accordingly.

Control Panel > Internet Options > Security tab > choose the correct "zone" > Custom Level > scroll to the bottom.

score 0 · Answer 4 · answered Jul 25 '19 at 08:53

I had these symptoms when developing on Web API 2 in VS2017 and using IIS express. In the default WebApiConfig.cs there's this chuck:

 // Web API configuration and services
 // Configure Web API to use only bearer token authentication.
 config.SuppressDefaultHostAuthentication();
 config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));

The config.SuppressDefaultHostAuthentication(); is the method which blocks out the web.config (and I guess IIS) authentication specifics. Commenting out the line does did the trick in my case being this in the web.config:

<security>
      <authentication> 
        <anonymousAuthentication enabled="false"/>
        <windowsAuthentication enabled="true"/>
      </authentication>
    </security>

Bare in mind that this doesn't solve a 'double hop' situation, i.e. an authenticated user on a website passing credentials to a backend API... but that's another story.

Web API 2 Windows authentication keeps prompting for login

4 Answers4

The prompt window which appears on windows authentication is highly likely because of 401 Access Denied

then you need to clear the DNS cache, restart IIS by typing the commands below on CMD "Run as admin"

Good Luck, please let me know if you have any further questions, if you need clarification for anything