I have an asp.net Web API server running under IIS, that until now has used windows authentication as it has only had other services running on the same domain conencting to it.
So, in my web.config I have the following settings...
<system.web>
<compilation debug="true" targetFramework="4.5.1" />
<httpRuntime targetFramework="4.5.1" />
<authentication mode="Windows" />
</system.web>
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true" />
</authentication>
</security>
....
With this I can use a browser (or the services) on the same domain and reach my services.
Now we want to allow Mobile applications to also connect. We will be using a a token based scheme based on this, and so far to use this I need to turn off the Windows authentication in my web.config
to use this. If I leave in the windows configuration as above, I don't even get any of the Owin middle where methods (or custom filters) called when I, for example, se Postman to call a route with no windows authentication set.
So my question is
- How can I allow either authentication, so that even a Browser (on the same domain) can still call the routes and be authenticated (via the Negotiate), but also allow other clients to use the token based scheme? Also (very important) how do I configure this in
web.config
to allow both?
Thanks in advance for any help!