Hi,
Currently I have an application where I only need windows authentication on particular endpoints, but since this is configured server wide this is currently not possible for me. For context, I have developed an ASP.NET Core application which returns 401 response when API endpoints are called without a JWT, but then IIS adds the WWW-Authenticate headers which I don't want.
I would like to avoid creating a dedicated server to deal with windows authentication, because that really would decouple my application. As of my understanding this is currently not possible when windows authentication is enabled on the project, as this is project wide and not per endpoint based. If I am missing something, please let me know.
I would like to suggest that an application can add some header IIS looks for, and when it is not present only then adds the WWW-Authenticate Negotiate and NTLM headers. So when I send for example the header X-Ignore-Windows-Authentication, IIS should remove this header and not attach the WWW-Authenticate headers.
I look forward to replies about this idea, because this definitely increases flexibility of IIS.