proper implementation of "windows" authentication in web api?

If you are using IIS Express, you need to update applicationhost.config file.

This is the file version of the IIS configuration tool where you can configure the web server itself. you can find this file in the following directory:



%userprofile%\my documents\iisexpress\config\applicationhost.config

When you find it, update it as:

<windowsAuthentication enabled="true">
        <add value="Negotiate" />
        <add value="NTLM" />

For IIS:

  1. Select your Application
  2. Double Click - 'Authentication'
  3. Enable Windows Authentication
  4. Restart IIS Server

Check this for more details

Windows authentication that uses the local domain user and that is intended for intranet sites.

Example :

I implemented a TestAuthentication method/action with a fixed route path. For the demo I do not include Authorize attributes yet. The code checks the User property of the ApiController. This contains the same data as Thread.CurrentPrincipal or HttpContext.Current.User. Make sure Anonymous Authentication in IIS is disabled otherwise the Identity.Name will be empty.

public class WinAuthController : ApiController
    public IHttpActionResult TestAutentication()
        Debug.Write("AuthenticationType:" + User.Identity.AuthenticationType);
        Debug.Write("IsAuthenticated:" + User.Identity.IsAuthenticated);
        Debug.Write("Name:" + User.Identity.Name);

        if (User.Identity.IsAuthenticated)
            return Ok("Authenticated: " + User.Identity.Name);
            return BadRequest("Not authenticated");

In Web.config file :

   <authentication mode="Windows" />

In IE you can check the setting with Tools > Internet Options > Advanced and look for a setting Enable Windows Integrated Authentication. When you go to the tab Security and then Intranet and Custom Level, then you will find a setting at the bottom to specify if IE should logon automatically or prompt for the username and password.

enter image description here

Please visit below link, it has proper steps to follow for WEP API Windows authentication :

Below are the steps to configure windows authentication in web api for both local and server (IIS).

1) For Local:

a) To create a web api project in windows authentication mode, follow below steps:

After choosing ASP.Net Web Application, select Web API template and from the right side click Change Authentication button and select Windows Authentication.

b) For an existing web api project, just add the following lines in your applicationhost.config file.

<location path="YourProjectName">
                    <anonymousAuthentication enabled="false" />
                    <windowsAuthentication enabled="true" />

2) For Server (IIS)

To run windows authentication after hosting the application in IIS just add following lines in your web.config file inside system.web node:

<authentication mode="Windows" />
      <allow verbs="OPTIONS" users="?" />
      <deny users="?" />

In both the cases, just use the following lines in your code that windows authentication is working properly:

    //do work

In addition to the previous answers, we also need to Pass credentials in cross-origin requests.

Server Side (Web API):

Set the SupportsCredentials property to true on the [EnableCors] attribute:

[EnableCors(origins: "", headers: "*", 
methods: "*", SupportsCredentials = true)]

Client Side (UI):

Set XMLHttpRequest.withCredentials to true.


  type: 'get',
  url: '',
  xhrFields: {
    withCredentials: true


this.http.get('', { withCredentials: true }).subscribe((resp: any) => {


var xhr = new XMLHttpRequest();'get', '');
xhr.withCredentials = true;