Does IIS supports Multiple Authentications for a single website?

Piyush Meshram 136 Reputation points
2021-07-27T04:21:26.853+00:00

Website configured for MTLS authentication with Self Signed Certificates; is it possible to enable IPSecurity authentication, Allowing a particular IPAddress access to the website even if MTLS fails or the user does not have a client certificate?

In general, MTLS authentication fails when a user does not have a valid client certificate. But a user wants to access the website even if that user fails to provide a valid client certificate for authentication.

So questions:

  1. Is there another way to allow a user to access the IIS hosted website if MTLS fails?
  2. There are many types of authentication supported in IIS (Digest, Basic, IISClientCertMapping etc. ); Can a website develop in ASP.NET hosted in IIS use these auth types in combination?
  3. If any code changes are required or only with the IIS configurations? (Note there are some paths in ASP.Net application decorated with "Anonymous" access)
  4. Is it possible to use IISClientCertMapping with IPSecurity? (please mention what other options/IIS configurations are needed to be tweaked as well)
Internet Information Services
ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,190 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bruce Zhang-MSFT 3,736 Reputation points
    2021-07-27T09:37:47.147+00:00

    Hi @Piyush Meshram ,

    When the browser makes a request, it always considers the first request to be Anonymous. Therefore, it does not send any credentials. If the server does not accept Anonymous OR if the Anonymous user account set on the server does not have permissions to the file being requested, the IIS server responds with an Access Denied error message and sends a list of the authentication types that are supported by using one of the following scenarios:

    • If Windows NT Challenge/Response is the only supported method (or if Anonymous fails), then the browser must support this method to communicate with the server. Otherwise, it cannot negotiate with the server and the user receives an Access Denied error message.
    • If Basic is the only supported method (or if Anonymous fails), then a dialog box appears in the browser to get the credentials, and then passes these credentials to the server. It attempts to send these credentials up to three times. If these all fail, the browser is not connected to the server.
    • If both Basic and Windows NT Challenge/Response are supported, the browser determines which method is used. If the browser supports Windows NT Challenge/Response, it uses this method and does not fall back to Basic. If Windows NT Challenge/Response is not supported, the browser uses Basic.

    If the answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our  documentation  to enable e-mail notifications if you want to receive the related email notification for this thread.

    Best regards,
    Bruce Zhang