ASP.Net Core 2.0 mixed authentication of JWT and Windows Authentication doesn't accept credentials
You need to ensure, that you NOT setting Authorization: Bearer <JWT_token>
HTTP header when you trying to use Windows Auth. The key point here is how "Windows Auth" actually works. Let's look how it works with browser for example.
Let's call this "a normal flow":
- You navigate to
http://example.com/api/resource
in your browser; - Your browser send a HTTP GET request to
http://example.com/api/resource
without anyAuthorization
HTTP Header for now (an anonymous request); - Web server (or WebAPI themself) recieve a request, find out, that there is no
Authorization
header and respond with401 Not Authorized
status code withWWW-Authenticate: NTLM,Negotiate
HTTP Header setted up ("Go away, no anonymous access. Only 'NTLM' or 'Negotiate' guys are welcome!"); - Browser receive a
401
response, find out that request was anonymous, looks toWWW-Authenticate
header and instantly repeat request, now withAuthorization: NTLM <NTLM_token>
HTTP Header ("Ok, take it easy, mr. Web server! Here is my NTLM token."); - Server receive a second request, find NTLM token in
Authorization
header, verify it and execute request ("Ok, you may pass. Here is your resource.").
Things goes a little different, when you initialy set Authorization
header to some value:
- Your JS require
http://example.com/api/resource
with JWT authorization; - Your browser send a HTTP GET request to
http://example.com/api/resource
withAuthorization: Bearer <JWT_token>
HTTP Header now; - Web server (or WebAPI themself) recieve a request, find out, that there is
Authorization
header with "Bearer" authentication scheme and again respond with401 Not Authorized
status code withWWW-Authenticate: NTLM,Negotiate
HTTP Header setted up ("Go away, we don't know who are this 'Bearer' guys, but we don't like them. Only 'NTLM' or 'Negotiate' guys are welcome!"); - Browser receive a
401
response, find out that request was authorized and decide that this token is bad. But, as you actually setAuthorization
header, this means that you actually have some credentials. And so it ask you for this credentials with this dialog.