ASP.NET Core app, w/ Windows authentication, Chrome, how can I have the user prompted for password insted of getting 403?

Question

I have an ASP.NET Core 8 web app that uses Windows authentication. Not all the users in the organization have the permission to access to the app. They have to have certain application roles and those roles are defined in a database.

I use a claim transformer to get the user's roles from the database as per this code to pull, and add the roles from the database as claim types.

If an user doesn't have the permission to access the app then he/she doesn't have any roles. The authorization is handled through Authorize(Roles = "...").

So far so good.

Now my question. When I do development (I use IIS express), my own Windows account doesn't have the permission to access the app, and I have to log in with special test accounts. The problem is that Chrome authenticates me automatically and the app returns a 403 when I go the landing page.

I found a workaround and that is I open the app in a Chrome incognito window and it always prompts me for password.

However, I am curious to see if there is a way to be prompted for password in the normal Chrome window. Interestingly enough, this app is a conversion to .NET Core from .NET framework and Chrome used to prompt me for password in the old app whenever I deleted the cookies. But in the new version there seem to be no cookies to delete. The claims transformer is called every time I access anything.

Program.cs:

var builder = WebApplication.CreateBuilder(args);

// Add services to the container.
builder.Services.AddControllersWithViews()
  .AddRazorRuntimeCompilation();
  
builder.Services.AddAuthentication(NegotiateDefaults.AuthenticationScheme)
  .AddNegotiate();

// builder.Services.AddAuthentication(IISServerDefaults.AuthenticationScheme);

builder.Services.AddTransient<IClaimsTransformation, AppClaimsTransformer>();
builder.Services.AddSingleton<IHttpContextAccessor, HttpContextAccessor>();

builder.Services.AddSession(options =>
{
    options.IdleTimeout = TimeSpan.FromMinutes(20);
    options.Cookie.Name = ".myapp.s";
    options.Cookie.HttpOnly = true;
    options.Cookie.IsEssential = true;
});

builder.Services.AddAuthorization(options =>
{
    // By default, all incoming requests will be authorized according to the default policy.
    options.FallbackPolicy = //options.DefaultPolicy;    
        new AuthorizationPolicyBuilder()
                .RequireAuthenticatedUser()
                .RequireRole(RolesConstants.AppUserRole)
                .Build();
});

builder.Services.Configure<IISServerOptions>(
    options =>
    {
        options.AutomaticAuthentication = true;
    });

// No need to add this
// builder.Services.AddRazorPages();

var app = builder.Build();

// For MVC error handling
app.UseWhen(context => !context.Request.Path.StartsWithSegments("/api"), appBuilder =>
{
    if (app.Environment.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
    }
    else 
    {
        app.UseExceptionHandler("/Home/Error");
        app.UseHsts();
    }
});

// WebApiError handling
app.UseWhen(context =>
{
    var result = context.Request.Path.StartsWithSegments("/api");
    // log.Info($"{context.Request.Path}, {result}");
    return result;
}, appBuilder =>
{
    appBuilder.ConfigureExceptionHandler(log);
});

app.UseHttpsRedirection();
app.UseRouting();

app.UseAuthentication();
app.UseAuthorization();

app.UseSession();

app.MapControllerRoute(
    name: "default",
    pattern: "{controller=Home}/{action=Index}/{id?}");

app.Run();

Thanks

Answer 1

If you disable your "AutomaticAuthentication" option you should get the behavior you expect.

Answer 2

I went to Control Panel > Network And Sharing Center -> Internet Options > Security > Local intranet > Sites > Custom Level ... (this is on windows server 2016 - it might be different on win 10 or win 11) and I selected Prompt for user name and password. Now I get prompted for password.