Windows Authentication for ASP.NET MVC 4 – how it works, how to test it

For IIS 8.5 and MVC 4:

How does Windows Authentication work?

In this mode, User.Identity (as in HttpContext.Current.User.Identity) is populated by the underlying web server. This might be IIS Express in the link from @R Kumar demonstrated, or full blown IIS as in the video by @Thomas Benz.

Specifically, User.Identity is a WindowsIdentity object. E.g. the following cast will work:

WindowsIdentity clientId = (WindowsIdentity)HttpContext.Current.User.Identity;

How do I implement Windows Authentication correctly in the web.config file?

  <system.web>
    <authentication mode="Windows" />
  ...

How do I test if the Windows Authentication really works for my ASP.NET MVC 4 web site? In other words, how do I test it on my local development PC with local IIS (version 8), and on my company real web server with IIS version 7?

First, change the ASP.NET authorization to exclude the current user. E.g.

  <system.web>
    <authentication mode="Windows" />
    <authorization>
      <allow users="yourdomain\someotheruser" />
      <deny users="*" />
    </authorization>

Second, enable Windows Authentication for your site using IIS Manager. It's under the 'Authentication' feature. And disable anonymous authentication.

Note that older explanation will suggest you make changes under element of your site's web.config. However, recent IIS implementations prevent this for security reasons.

Three, point your browser at the webpage. The browser should ask you to provide credentials, because the current user is not allowed access to the website. Provide the ones that are authorized for the site, and your MVC code should run.

Four, check the user identity. E.g.

WindowsIdentity clientId = (WindowsIdentity)HttpContext.Current.User.Identity;