How to start and stop an ASP.NET Core 2.1 app programmatically with Windows Authentication enabled?

Question

I have a very specific set of needs for an ASP.NET Core 2.1 application, that I can't seem to resolve. The purpose of the app is to demonstrate use of a web proxy with automation tools like Selenium, specifically against a site that uses NTLM authentication.

Because this is a demo site to be used in the context of other running code, I need to be able to start and stop it programmatically. I can't seem to find any way to use Kestral and IIS/IIS Express effectively to start and stop the app appropriately.

Because I want to demonstrate use of web browsers configured with a proxy to browse and be authenticated by this site, and because most browsers bypass a proxy when browsing localhost sites (and its cousins 127.0.0.1 and ::1 ), I need to be able to use a host name other than localhost to browse the site, and I'm using a simple alias in my hosts file for this purpose. However, this lets HTTP.sys right out, as attempting to register any URL prefix other than localhost results, entirely unsurprisingly knowing how HTTP.sys works, in an Access denied error.

I've examined several other answers , all of which seem to be outdated, or just do not work for me.

Startup class is as follows:

public class Startup
{
    public Startup(IConfiguration configuration)
    {
        Configuration = configuration;
    }

    public IConfiguration Configuration { get; }

    // This method gets called by the runtime. Use this method to add services to the container.
    public void ConfigureServices(IServiceCollection services)
    {
        services.Configure<IISOptions>(iis => { iis.AutomaticAuthentication = false; });
        services.AddAuthentication(IISDefaults.AuthenticationScheme);
        services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
    }

    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
    public void Configure(IApplicationBuilder app, IHostingEnvironment env)
    {
        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
        }

        app.UseMvc();
    }
}

If I manually launch the app in the debugger using the "IIS Express" profile, it works in that I get prompted for credentials. If I use the "project" profile, of course, it doesn't work because Kestrel doesn't appear to understand Windows Authentication without HTTP.sys. If I attempt to use any programmatic means to start the app ( WebHost.CreateDefaultBuilder().Build().StartAsync , for example), it fails to prompt for authentication, I'm guessing for the same reasons it doesn't work under the "project" profile in the debugger.

The point is to avoid a minimum of configuration for users once cloning the demonstration repo. Hosting the web app in full-blown IIS is a non-starter. Similarly, solutions that require admin access (like using netsh http add urlacl ) or running as admin are also non-starters, as many users do not have administrative access to their machines.

Is what I'm attempting even possible? How can I cobble this together to make it work? "What you're trying to do is impossible," is a perfectly valid answer, but if that's the answer given, I'd like additional information of why this it's impossible.

Answer 1

I do not have much experience with IIS, nor do I fully understand your situation, but I hope I can share enough to help you figure this out.

There seem to be three aspects to your question:

1. Not using localhost as the hostname.
2. Windows Authentication
3. Starting & Stopping the app programmatically.

I can't help with 1. Regarding windows authentication:

1. ASP.NET Core supports two hosting models with IIS: InProcess and OutOfProcess .
2. When you choose "IIS Express", IIS runs the ASP.NET Core Application for you ( InProcess ) -- so there's no kestrel in the picture. When you choose the project profile, you're essentially self-hosting the application with Kestrel ( OutOfProcess ) -- so there's no IIS in the picture unless you explicitly configure it to act as a reverse proxy.
3. As long as you got IIS in the picture whether with InProcess or OutOfProcess , you should be able to get Windows Authentication working.
4. Kestrel's support for windows authentication depends on HTTP.sys.
5. Recommended reading: Configure Windows Authentication in ASP.NET Core | Host ASP.NET Core on Windows with IIS

Regarding starting and stopping the application:

1. With OutOfProcess you have full control, you can start and stop at will since you have access to the WebHost object.
2. With InProcess , I'm not sure if starting/stopping with WebHost would work, but you can stop it using IApplicationLifetime.StopApplication() and let IIS start it back up for you on the next request.