How does Windows Authentication really work? Web.c

Trying to fix windows authentication. Objective: Windows Authentication. With Firefox a login dialog should appear, while with Internet Explorer the windows user name and password should go to the web server automatically.

I set up a really small web application project, using the Empty template. Web.config looks like this:

<?xml version="1.0"?>
<configuration>
  <system.web>
    <compilation debug="true" targetFramework="4.5"/>
    <httpRuntime targetFramework="4.5"/>
    <authentication mode="Windows" />
    <authorization>
      <deny users="?" />
    </authorization>
  </system.web>
  <system.codedom>
    <compilers>
      <compiler language="c#;cs;csharp" .../>
      <compiler language="vb;vbs;visualbasic;vbscript" ..."/>
    </compilers>
  </system.codedom>
</configuration>

Running this site in FF or IE gives a 401 Unauthorized response, instead of a login dialog. Why?

Then I created another new web application project, now with the WinForms template and Authentication set to Windows. This creates some semi-interesting fake content, including a page header with a menu and a display of the windows name of the logged in user.

In the web.config I changed the authorization to:

<allow users="*"/>

Running this site in FF shows a login dialog, in IE it shows the page with my windows user name in the header.

Now I change to:

<authentication mode="None" />

Running this site in FF shows the login dialog, while I expected to just see the page without having to log in. With IE, the page shows without my windows user name in the header.

My conclusion is that there is more to setting the authentication than just those two places in web.config. If I knew more about this, I could fix some similar problems in my real web projects. Please Help!

After a night of good sleep I got the idea to search for the configuration of the web server. It turned out VS2015 uses IIS Express. On SO I found that the IIS Express config file is in the solution's .vs directory, where the New Project template wrote that anonymous access is disabled. That explains the login dialog in Firefox even if the web.config has Authentication Mode=None.

I found also some interesting info from Hanselman: in the VS2015 Solution Explorer press F4 on the project to see some items that you don't find in the Property Pages. E.g. Anonymous Authentication Enabled/Disabled, but this seems not related to the config in .vs !?

It seems that certain things just cannot be made simple. I worked with the Apache web server and was daunted by the enormous collection of settings, but at least each of these was documented clearly. Windows has a reputation of making things user-friendly with GUI tools, so I find it unfortunate to still have to deal with less documented options like in xml config files in the hidden directory .vs .