FireFox, Windows Security, and Kestrel in ASP.NET Core (2023)

This page:

FireFox, Windows Security, and Kestrel in ASP.NET Core (1)

I'm working on an application that uses Windows Authentication for an intranet application. Windows authentication is used because some of the business rules are highly dependent on Active Directory roles and authorization information, and the most efficient way to obtain this information is through the built-in Windows authentication mechanisms provided by .NET Core.

I had issues with this app where the app refused to authenticate using Kestrel on my local machine when using the FireFox browser. Everything works with Chrome, Edgium and Edge, but FireFox just returned an infinite loop of login dialogs:

FireFox, Windows Security, and Kestrel in ASP.NET Core (2)

Figure 1- FireFox login dialogs galore

or worse, it refuses to authenticate and just returns the standard ASP.NET Core 401 response:

FireFox, Windows Security, and Kestrel in ASP.NET Core (3)

Figure 2- Kestrel's default response to a switch request in FireFox


(Video) Custom HTTPS Dev Environment using .NET Core, Kestrel & certificates

Adding Windows Authentication to ASP.NET Core

I wrote about using Windows Authentication not long ago, but it never hurts to go over the basics of setting up Windows Authentication again here, as it doesn't take much to set it up.

Start by adding a reference to the Negotiate Authentication package:

<PackageReference include="Microsoft.AspNetCore.Authentication.Negotiate" Version="3.0.0" />

Negotiate is the authentication scheme (Negotiate) used that works with Windows authentication. there is alsoNTLM, but as we'll see, Kestrel doesn't support this out of the box. However, Trade will work in most cases.

and then connect itConfigure Services():

servicios .AddAuthentication(NegotiateDefaults.AuthenticationScheme) .AddNegotiate();

and turn it onTo set up():

// Enable system authentication app.UseAuthentication(); app.UseAuthorization();

The built-in middleware will collect headers from Windows authentication tickets and create aWindowsPrincipalywindows identitythat are derived frommain claims, which means that groups and other AD settings are provided as claims.

Middleware order matters

Be sure to connect Windows Authentication .UseAuthentication() and .UseAuthorization after .AddRouting() but before any other middleware that uses authentication like MVC, Pages or StaticFiles. If the request is incorrect, the authentication will not work.

Once connected authentication works, you can force authentication through a[Authorize]attribute in a controller or you can just checkcontext.User.Identityto the windowswindows identity.

Using[Authorize]in a controller:

[Authorize] public class AccountController : BaseController { ... }

or you can access the user information in the controller's HttpContext property:

var user = this.HttpContext.User.Identity;

You could also explicitly challenge with a 401 response from your code, for example in a custom authentication middleware (as I'm doing in this app I'm working on):

(Video) ASP.NET Core Understanding the middleware pipeline, Startup configuration - Application Life Cycle

if (!context.User.Identity.IsAuthenticated){ context.Response.StatusCode = 401; context.Response.Headers.Add("www-authenticate", new StringValues(new string[] {"Negotiate", "NTLM"})); Logger.LogInformation("Login request since " + context.Connection.RemoteIpAddress); await context.Response.WriteAsync("Unauthorized Windows user"); owe null;}

The authentication provider provides authentication status, user account information along with any Windows or Active Directory groups the user is a part of in integrated claims.

Simple enough.

It works, but… FireFox

I'm happy to build my app using theChromium-based version of Edgeand it has worked without any problem. I also checked the app with classic edge and real chrome and everything works as it should.

However, using Firefox, I found that the app was not authenticating. This particular app is an angular app so I'm running local development server on port4200and the .NET server on the port5001on Kestrel with Kestrel providing Windows authentication.

In FireFox, this resulted in an endless loop of Windows login dialogs. I was getting tired of this (and you will too if I keep posting this image 😄):

FireFox, Windows Security, and Kestrel in ASP.NET Core (4)

When running from Angular app, you would see the dialog because Angular app is redirecting to .NET server for authentication to select authentication state. But each request ends with the dreaded login dialog in an endless loop.

If I access the app directly and access one of the endpoints with FireFox however I don't get authentication, just the authentication prompt.

FireFox, Windows Security, and Kestrel in ASP.NET Core (5)

This became even more frustrating in the sense thatit was not working using Kestrelas a web server, butI was working with IIS Express🇧🇷 What the hell?

I captured the output of requests from both servers to see what the difference might be and found this:

(Video) Intro to AppSettings in .NET Core - Appsettings.json, secrets.json, and more


HTTP/1.1 401 Unauthorized Date: Friday, Nov 15, 2019 00:51:46 GMTContent-Type: text/plainServer: KestrelWWW-Authenticate: NegotiateProxy-Support: Session-Based-AuthenticationContent-Length: 530Status Code: 401; not authorized

IIS Express:

HTTP/1.1 401 Unauthorized content type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0WWW-Authenticate: NTLM TlRMTVNTUAACAAAADAAMADgAAAAFgoqiVKtwQ7croagAAAAAAAAAAFAAUABEAAAACgDqSQAAAA9SAEEAUwBXAEkATgACAAwAUgBBAFMAVwBJAE4AAQAMAFIAQQBTAFcASQBOAAQADABSAEEAUwBXAEkATgADAAwAUgBBAFMAVwBJAE4ABwAIAH1CVNlNm9UBAAAAAA==Date: Fri, 15 Nov 2019 00:44:33 GMTContent-Length: 341Proxy-Support: Session-Based-Authentication<!DOCTYPE HTML PUBLIC " -//W3C//DTD HTML 4.01//EN"""><HTML><HEAD><TITLE>Not authorized</TITLE><GOAL HTTP -EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Unauthorized</h2><hr><p>HTTP Error 401. O request resource require user authentication.</p></BODY></HTML>

Kestrel is sending aNegotiateheader, while IIS is sending aNTLMauthentication header. Apparently, FireFox triesNTLMdifferent thanNegotiateyNTLMworks without any special configuration.Negotiatehowever, no.

However, AFAIK there is no way to configure Kestrel to send aNTLMheader as defaultNegotiate, To install Hrmph.

Configure Firefox

I knew that there are configuration options for Windows Authentication in FireFox and I started looking for them. The first thing I did was look at theNTLMsettings (before looking at the headers), which turned out to be the wrong set to change. NTLM works out of the box which is why IIS Express "just worked".

It wasn't until I saw theNegotiateheader that I revised to negotiate specific settings by configuring FireFox through itsabout: settingsDefinitions.

To do this:

  • open firefox
  • He writesabout: settingsin the address bar
  • He writesNegotiatein the search box
  • add domains tonetwork.negotiate-auth.trusted-uris

This looks like this:

FireFox, Windows Security, and Kestrel in ASP.NET Core (6)

Select thered-negociar-auth.trusted-uriswhich is a comma delimited list of domains you need Windows/AD Auth to work with. The above settings are forNegotiate🇧🇷 AddLOCALHOSTfor local development and any other domain that interests you.

Note that I'm using LOCALHOST and my local machine name; the last one isn't really necessary, but I'm adding it just in case as I have some scenarios where I'm using a hostname.

(Video) Intro to ASP.NET Core Razor Pages - From Start to Published

and boom! That worked!

FireFox NTLM configuration is not required

FireFox also has similar configuration settings for NTLM. To access them, follow the steps above withabout: settingsso go writentlmin the search box.

It looks like NTLM configuration is not required and FireFox respects native Windows configuration without any special configuration. YMV but for me when running through IIS which uses NTLM connections and auto logins they just worked without any custom FireFox ntlm configuration or negotiation keys. But if for some reason IIS won't authenticate, the NTLM configuration keys in FireFox are there for you to edit.

I can now successfully login to the app with FireFox, including automatic logins to local domains or workstation accounts.

It's great that this works, but it's still a bummer because it seems to require you to explicitly manually configure FireFox to work correctly with Windows Authentication. This is not ideal for a web application to say the least, even for an intranet, but presumably companies using FireFox and Windows or AD Auth already have a default policy for this.

It would be nice if the behavior between Kestrel and IIS wasn't different and didn't require custom settings in FireFox to work...


I keep running into roadblocks with Windows Authentication in ASP.NET Core. It works, but there are rough edges. Of course Windows Auth is not an ideal solution for authentication and would not be my first choice, but unfortunately due to the requirements it is what should be used in many cases.

I hope this post helps some of you and saves you from trying to figure out why FireFox is not authenticating with Windows Auth.

FireFox, Windows Security, and Kestrel in ASP.NET Core (7)this post created and published with theMarkdown Monster Editor

Other Posts You Might Also Like

  • Accept raw request body content in ASP.NET Core API controllers
  • Combination of Bearer Token and Cookie Authentication in ASP.NET
  • Role-based JWT tokens in ASP.NET Core APIs
  • Publish and run ASP.NET Core apps with IIS
(Video) Introduction to ASP.NET Core MVC in C# plus LOTS of Tips


Does Kestrel support Windows authentication? ›

Windows Authentication (also known as Negotiate, Kerberos, or NTLM authentication) can be configured for ASP.NET Core apps hosted with IIS, Kestrel, or HTTP. sys.

Does ASP.NET Core use Kestrel? ›

Kestrel is a cross-platform web server for ASP.NET Core. Kestrel is the web server that's included and enabled by default in ASP.NET Core project templates.

Should I use IIS or Kestrel? ›

Kestrel is an interesting option for anyone building . NET web applications. It's a relatively lightweight server compared to IIS, and as it's cross-platform, it simplifies how you might choose a hosting platform. It's also suitable as a development tool, running on desktop hardware for tests and experimentation.

Is Windows Authentication the same as Kerberos? ›

The main difference between NTLM and Kerberos is in how the two protocols manage authentication. NTLM relies on a three-way handshake between the client and server to authenticate a user. Kerberos uses a two-part process that leverages a ticket granting service or key distribution center.

How do I know if Windows Authentication is working? ›

On the taskbar, click Start, and then click Control Panel. In Control Panel, click Programs and Features, and then click Turn Windows Features on or off. Expand Internet Information Services, then World Wide Web Services, then Security. Select Windows Authentication, and then click OK.

Which database is best for ASP.NET Core? ›

  • SQLite.
  • Postgres.
  • MySQL.
Aug 13, 2022

What is alternative to Kestrel? ›

Top 10 Alternatives to Kestrel Insights
  • WebEngage.
  • Netcore Customer Engagement and Experience Platform.
  • AirDroid Business.
  • Connecteam.
  • Purple.
  • Radar.
  • PlotProjects.
  • GeoComply.

Is Kestrel production ready? ›

Yes, Kestrel is production ready and is supported on all platforms and versions that . NET Core supports, but if your application is available on public networks Microsoft recommend that you use it with a reverse proxy: Even if a reverse proxy server isn't required, using a reverse proxy server might be a good choice.

What are the disadvantages of Kestrel? ›

Kestrel is relatively new and does not have a full complement of defenses against attacks. It's also not as feature rich as HTTP. sys and comes with timeout limits, size limits and concurrent user limits. In essence, the choice comes down to your web application's Deployment scenario.

Which is the most secure authentication method used in IIS? ›

The best option is to use Basic authentication over a Secure Sockets Layer (SSL) connection. SSL is the same protocol used to encrypt most e-commerce Web sites and is a secure and widely supported standard. With this configuration, the industry-standard SSL protocol encrypts your logon session.

What are the limits of Kestrel server? ›

The default maximum request body size is 30,000,000 bytes, which is approximately 28.6 MB. An exception is thrown if the app configures the limit on a request after the app has started to read the request.

What is difference between authentication and Authorization in ASP.NET Core? ›

Authentication is the process of determining a user's identity. Authorization is the process of determining whether a user has access to a resource. In ASP.NET Core, authentication is handled by the authentication service, IAuthenticationService, which is used by authentication middleware.

How many types of authentication are there in ASP.NET Core? ›

ASP.NET supports Forms Authentication, Passport Authentication, and Windows authentication providers. The mode is set to one of the authentication modes: Windows, Forms, Passport, or None. The default is Windows. If the mode is None, ASP.NET does not apply any additional authentication to the request.

How to enable authentication in ASP.NET Core? ›

Create a Web app with authentication
  1. Select File > New > Project.
  2. Select ASP.NET Core Web Application. Name the project WebApp1 to have the same namespace as the project download. Click OK.
  3. Select an ASP.NET Core Web Application, then select Change Authentication.
  4. Select Individual User Accounts and click OK.
Nov 30, 2022

Does Windows authentication use LDAP? ›

Both Windows Active Directory and LDAP can be used to allow users to connect to Serv-U by using Active Directory credentials. Additionally, LDAP allows for authentication against other LDAP servers such as Apache Directory Server and OpenLDAP.

How do I know if I am using NTLM or Kerberos? ›

If you need to identify what is being used at this moment the only way to recognize this is from the logs at log level 4. Once Kerberos authentication is enabled in EasySSO settings - the server and the browser will start exchanging "Negotiate" headers.

Does Windows authentication use SAML? ›

miniOrange achieves Windows integrated authentication by installing a component on a Windows Server linked to the Active Directory domain. This setup basically acts as a SAML 2.0 Identity Provider. When the user tries to access a cloud application like Salesforce, the request is forwarded to the miniOrange SSO Server.

What happens if you don't verify Windows? ›

What Happens if You Don't Activate Windows 10/11? If you wish to not activate Windows on your personal computer at all, you can still access it for as long as you want. In other words, you will not be stopped from using Windows even if you choose to never activate the software.

What is difference between Windows Authentication and authentication? ›

Forms authentication is where the user is required to login with credentials just for the web site. Windows authentication is for when the web site will accept the user's Windows credentials for login purposes.

What is the difference between Basic Authentication and Windows Authentication? ›

Difference between Basic Authentication and Windows authentication. Windows authentication authenticates the user by validating the credentials against the user account in a Windows domain. Basic authentication verifies the credentials that are provided in a form against the user account that is stored in a database.

Is ASP.NET Core outdated? ›

It is still widely used by developers and remains a top open-source framework on GitHub. In fact, according to the Stack Overflow 2021 developer survey, more than 15% of developers still prefer ASP.NET over other frameworks for their web development needs.

Why is ASP.NET Core most loved? ›

ASP.NET Core allows you to develop web applications, IoT apps, mobile backends, web services, and hybrid apps. This distinguishes it from other languages and frameworks that are specially built to run on server environments.

How ASP.NET Core is high performance? ›

ASP.NET Core apps should be designed to process many requests simultaneously. Asynchronous APIs allow a small pool of threads to handle thousands of concurrent requests by not waiting on blocking calls. Rather than waiting on a long-running synchronous task to complete, the thread can work on another request.

Does the military use Kestrel? ›

Kestrel Ballistics Meters deliver the uncompromising long-range accuracy required for tactical operations. There's a reason that Kestrel meters have long been trusted as the standard for military and law enforcement when it comes to long-range accuracy and repeatable reliability.

Why do I need Kestrel? ›

It allows ASP.NET Core applications to be run easily on other cross-platform webservers such as Nginx and Apache, without the need to address varying startup configurations. By using Kestrel as an in-process server, applications will have a consistent process (Startup (Main(), Startup. ConfigireServices(), Startup.

Which Kestrel is best for you? ›

Best Kestrels for Shooting & Hunting
  1. Kestrel Drop D3 Ballistics. Maybe I'm not the market for the Drop D3, but I honestly don't know who is the market. ...
  2. Kestrel 2700 Ballistics Weather Meter. ...
  3. Kestrel 5700 Ballistics Weather Meter. ...
  4. Kestrel 5700 with Hornady 4DOF. ...
  5. Kestrel 5700 Elite Applied Ballistics.
Jan 23, 2020

How many json files are in .NET Core? ›

Different configuration json files in Core There are mainly 6 configuration JSON files in Core.

Is Kestrel single threaded? ›

libuv uses a single threaded event loop model. Kestrel supports multiple event loops. Kestrel does only IO work on the libuv event loops. All non IO work (including anything related with HTTP like parsing, framing, etc) is done in managed code on standard .

Does Azure App Service use Kestrel? ›

In 2021, a group of engineers across multiple teams, including . NET and Azure, got together to transition the App Service Frontend fleet to Kestrel + YARP.

What is unique about a kestrel? ›

Kestrels have remarkably keen eyesight even in extremely poor light, allowing them to hunt almost until dark. Kestrels hunt from static perches and by hovering: the latter is far more productive, but uses lots of energy, which is why they hunt mainly from perches during the winter.

What is the lifespan of common kestrel? ›

At least females generally breed at one year of age; possibly, some males take a year longer to maturity as they do in related species. The biological lifespan to death from senescence can be 16 years or more, however; one was recorded to have lived almost 24 years.

Why are kestrels declining? ›

Loss of habitat has been suggested, along with decreasing prey populations, agricultural chemicals and lack of suitable nest sites.

What is the strongest authentication method? ›

3 Most Secure Authentication Methods
  • One-Time Password (OTP) An OTP and its sibling, time-based one-time passwords (TOTP), are unique temporary passwords. ...
  • Biometrics Authentication. If there's one thing that you always have with you, it's your body. ...
  • Continuous Authentication. ...
  • The Three Factors of Authentication.
Jun 20, 2022

Which is the most powerful authentication method? ›

Biometric Authentication Methods

Biometric authentication relies on the unique biological traits of a user in order to verify their identity. This makes biometrics one of the most secure authentication methods as of today.

Which authentication mode is more secure? ›

Windows Authentication is the default authentication mode, and is much more secure than SQL Server Authentication.

How many requests can ASP.NET Core handle per second? ›

7+ Million HTTP requests per second from a single server.

How many API requests can a server handle? ›

In the API Console, there is a similar quota referred to as Requests per 100 seconds per user. By default, it is set to 100 requests per 100 seconds per user and can be adjusted to a maximum value of 1,000. But the number of requests to the API is restricted to a maximum of 10 requests per second per user.

Does Kestrel need a reverse proxy? ›

Kestrel can be used by itself or with a reverse proxy server. A reverse proxy server receives HTTP requests from the network and forwards them to Kestrel. Examples of a reverse proxy server include: Internet Information Services (IIS)

Which is more important authentication or authorization? ›

Which Comes First, Authentication or Authorization? Authentication and authorization both rely on identity. As you cannot authorize a user or service before identifying them, authentication always comes before authorization.

Is JWT used for authentication or authorization? ›

To authenticate a user, a client application must send a JSON Web Token (JWT) in the authorization header of the HTTP request to your backend API. API Gateway validates the token on behalf of your API, so you don't have to add any code in your API to process the authentication.

What is the difference between the three types of authentication? ›

Authentication factors can be classified into three groups: something you know: a password or personal identification number (PIN); something you have: a token, such as bank card; something you are: biometrics, such as fingerprints and voice recognition.

What are those 4 commonly authentication methods *? ›

The most common authentication methods are Password Authentication Protocol (PAP), Authentication Token, Symmetric-Key Authentication, and Biometric Authentication.

What is the default authentication in ASP.NET Core? ›

Starting in ASP.NET Core 7.0, if (and only if) a single scheme is registered in an application, that scheme is treated as the default. In the following code, the CookieDefaults. AuthenticationScheme is treated as the default scheme.

Does Kestrel support Windows Authentication? ›

Windows Authentication (also known as Negotiate, Kerberos, or NTLM authentication) can be configured for ASP.NET Core apps hosted with IIS, Kestrel, or HTTP. sys.

How do I authenticate API in .NET Core? ›

In this article
  1. Create an app with API authorization support.
  2. General description of the ASP.NET Core components of the app.
  3. General description of the Angular app.
  4. General description of the React app.
  5. Require authorization on a new API.
  6. Customize the API authentication handler.
  7. Protect a client-side route (Angular)
Sep 19, 2022

Which plugin is used for Windows Authentication? ›

The authentication_windows plugin uses the Windows security API to check which Windows user is connecting.

Is Windows Authentication the same as SSO? ›

Windows authentication with SSO works the same way as Windows Authentication managed by IIS with respect to security zones. However, there are some differences. The SSO server will authenticate the user once.

Can we use Windows Authentication in Web API? ›

Windows authentication enables users to log in with their Windows credentials, using Kerberos or NTLM. The client sends credentials in the Authorization header. Windows authentication is best suited for an intranet environment.

What authentication method does Windows use? ›

The Windows operating system implements a default set of authentication protocols, including Kerberos, NTLM, Transport Layer Security/Secure Sockets Layer (TLS/SSL), and Digest, as part of an extensible architecture.

How do I verify Windows Security? ›

Run a quick scan in Windows Security
  1. Select Start > Settings > Update & Security > Windows Security and then Virus & threat protection. Open Windows Security settings.
  2. Under Current threats, select Quick scan (or in early versions of Windows 10, under Threat history, select Scan now).

What ports are needed for Windows Authentication? ›

Integrated Windows Authentication uses kerberos authentication using port 88 (GSSAPI's).

Is SSO better than MFA? ›

The main difference between MFA and SSO is that MFA is a type of authentication that alleviates the low security of passwords by introducing an extra layer of security, whereas SSO is a cloud security technology that mitigates the hassle of reentering the password by asking the user to type their password only once per ...

What is one benefit to Windows Authentication over SQL authentication? ›

Connecting Through Windows Authentication

This means that the user identity is confirmed by Windows. SQL Server does not ask for the password, and does not perform the identity validation. Windows Authentication is the default authentication mode, and is much more secure than SQL Server Authentication.

Does SSO bypass MFA? ›

Single Sign-On

Site A: does not require MFA Site B: requires MFA Anyone logged into Site A is automatically logged into Site B. If an attacker can compromise a user's SSO password, they can log into the user's account on Site B by logging into Site A, easily bypassing MFA.

Which authentication is best for web API? ›

OAuth 2.0. OAuth (specifically, OAuth 2.0) is considered a gold standard when it comes to REST API authentication, especially in enterprise scenarios involving sophisticated web and mobile applications.

Is API key enough for authentication? ›

API keys aren't as secure as authentication tokens (see Security of API keys), but they identify the application or project that's calling an API. They are generated on the project making the call, and you can restrict their use to an environment such as an IP address range, or an Android or iOS app.

What is the best authentication method for Web application? ›

5 Common Authentication Types
  1. Password-based authentication. Passwords are the most common methods of authentication. ...
  2. Multi-factor authentication. ...
  3. Certificate-based authentication. ...
  4. Biometric authentication. ...
  5. Token-based authentication.

What are the 3 types of computer authentication? ›

Authentication factors can be classified into three groups: something you know: a password or personal identification number (PIN); something you have: a token, such as bank card; something you are: biometrics, such as fingerprints and voice recognition.

Which is the most secure method to authenticate a user? ›

Biometric authentication relies on the unique biological traits of a user in order to verify their identity. This makes biometrics one of the most secure authentication methods as of today.

What is the best user authentication method? ›

The most common authentication method that goes 'beyond passwords' is to implement multi-factor authentication (MFA), which is also known as 2-step verification (2SV) or two-factor authentication (2FA).


1. State of ASP.NET Core | .NET Conf 2022
2. Migrate Your Legacy ASP.NET Projects to ASP.NET Core Incrementally with YARP | .NET Conf 2022
4. Blazor Course - Use ASP.NET Core to Build Full-Stack C# Web Apps
5. ASP.NET Web API using NET 6 C# & Windows authentication
6. Top Course - Learn ASP.NET Core 5.0 MVC - CRUD Operations, EntityFramework Core
Top Articles
Latest Posts
Article information

Author: Moshe Kshlerin

Last Updated: 03/22/2023

Views: 6185

Rating: 4.7 / 5 (77 voted)

Reviews: 92% of readers found this page helpful

Author information

Name: Moshe Kshlerin

Birthday: 1994-01-25

Address: Suite 609 315 Lupita Unions, Ronnieburgh, MI 62697

Phone: +2424755286529

Job: District Education Designer

Hobby: Yoga, Gunsmithing, Singing, 3D printing, Nordic skating, Soapmaking, Juggling

Introduction: My name is Moshe Kshlerin, I am a gleaming, attractive, outstanding, pleasant, delightful, outstanding, famous person who loves writing and wants to share my knowledge and understanding with you.