We've built an internal ODATA API that is hosted on IIS. It's been up and running for some time and everything works as expected.
Now, I have a specific application (Tableau Desktop) that needs to connect to some of the ODATA API endpoints. Tableau Desktop can't use Windows authentication when connecting to ODATA (I'm aware that Tableau Server can), so I thought I would look into a way to override the default authentication.
My problem is this: IIS, being the host, controls authentication to all endpoints using Windows authentication. I want to override the host authentication to allow a user to connect to Tableau using Basic authentication on specific endpoints.
If Windows authentication is enabled at all, it overrules any attempts I make to force Basic authentication.
Is it possible to turn off Windows authentication for specific endpoints/controllers?
I tried doing it by adding these tags, but it doesn't work:
[OverrideAuthentication, OverrideAuthorization]
[Authorize, IdentityBasicAuthentication]
public class ProjectTrackingController : ODataController
The IdentityBasicAuthentication tag is a custom authorization component I put together to check basic credentials. This custom component gets hit every time I make a request, but even though I type my credentials into the browser/Tableau, the request gets passed along with the "Negotiate" header that appears to have a key for Windows credentials. There never appears to be an attempt at authorizing the HTTP request with Basic auth.
There does not appear to be a way to override the parent level authentication as it stands. Since we are authenticating with IIS, the code cannot override the NTLM authentication required by IIS. Even though I added tags for Basic authentication, IIS restricts this at the top level.
We are going to switch to HTTPS (which needs to be done anyway for better security) and then enable Basic auth in IIS rather than NTLM. This should resolve the current issues we are seeing when connecting Tableau.