Search code examples
authenticationazure-active-directoryasp.net-core-webapiiis-10

IIS Authentication settings with Azure AD authentication

I have an on-premise ASP.Net Core Web API application running under IIS 10 on Windows Server 2016. Previously, this was secured using Windows Authentication, but it has now been converted such that users authenticate through Azure AD. Therefore authentication is now handled entirely by the app itself.

I'm unsure which IIS Authentication setting I should now use. In IIS, if I leave Windows Auth enabled, the user is presented with a dialog requesting username and password, which is obviously not required now that logon is handled via the standard Microsoft Online page. So I disabled Windows Auth and enabled Anonymous Authentication, figuring this would be the correct way to pass responsibility for authentication from IIS to the application.

This works, but I am concerned that enabling Anonymous Auth could present a security risk.

IS anyone able to advise on the correct IIS configuration when using Azure AD? Note that the website is not public-facing, it is internal to my organization.

EDIT: To clarify my thinking on the points raised below by Lex Li...

  1. My understanding regarding IIS Anonymous Auth is that it is used to allow unauthenticated users to access some or all pages on a website. I would not want this - all pages on my site require authentication. I am using the Authorize attribute to achieve this, with tokens generated through MSAL.
  2. I wouldn't say I knew Anonymous Auth was the correct way to get the app to authenticate rather than IIS. It was a case of "I tried it and it appeared to work". Having read all replies, I'm happy that it is indeed the correct approach.
Solution

  • Since the authentication is all in the app now, if the app is written properly it will protect all the information. Your settings are the correct settings. when authenticating to AAD, IIS must be set to allow anonymous.

    the API endpoint using either msal/adal libraries or your own, should implement checks to ensure the token from the user is a valid token. Today, the vast majority of websites and almost all APIs are secured using such methods, api endpoints take tokens as authentication, and is the accepted standard in todays world. they essentially all have "allow anonymous" / linux equivalent.