.0&tabs=visual-studio#kestrel states

Code was generated by the ASP.NET Core Razor Pages template with Windows authentication specified.

AddAuthentication, AddNegotiate & UseAuthentication

However if you create a .NET 9 Razor page project with Windows auth, UseAuthentication is not in the generated code.

Which is correct, the template or documentation?

The reason I ask is my project that errors when app.UseStatusCodePagesWithReExecute("/StatusCode/{0}"); is called before UseAuthentication.

This only happens in the development environment when set to Windows auth is on.

If published to the server or the same project uses individual account authorization, this error doesn’t occur.

If the template is correct, then I can remove this line when using Windows authorization which should fix my issue, but I need to know it wont impact the site security?

https://learn.microsoft/en-us/aspnet/core/security/authentication/windowsauth?view=aspnetcore-9.0&tabs=visual-studio#kestrel states

Code was generated by the ASP.NET Core Razor Pages template with Windows authentication specified.

AddAuthentication, AddNegotiate & UseAuthentication

However if you create a .NET 9 Razor page project with Windows auth, UseAuthentication is not in the generated code.

Which is correct, the template or documentation?

The reason I ask is my project that errors when app.UseStatusCodePagesWithReExecute("/StatusCode/{0}"); is called before UseAuthentication.

This only happens in the development environment when set to Windows auth is on.

If published to the server or the same project uses individual account authorization, this error doesn’t occur.

If the template is correct, then I can remove this line when using Windows authorization which should fix my issue, but I need to know it wont impact the site security?

• asp-core
• authorization
• -9.0

1 Answer 1

I validated your issue in my side, and below is what I get from Program.cs which is generated by using .Net 9 asp core razor page template(choose windows auth as authentication type) from VS 2022.

using Microsoft.AspNetCore.Authentication.Negotiate;

var builder = WebApplication.CreateBuilder(args);
builder.Services.AddAuthentication(NegotiateDefaults.AuthenticationScheme)
   .AddNegotiate();

builder.Services.AddAuthorization(options =>
{
    options.FallbackPolicy = options.DefaultPolicy;
});
builder.Services.AddRazorPages();

var app = builder.Build();
if (!app.Environment.IsDevelopment())
{
    app.UseExceptionHandler("/Error");
    app.UseHsts();
}

app.UseHttpsRedirection();
app.UseRouting();
app.UseAuthorization();
app.MapStaticAssets();
app.MapRazorPages()
   .WithStaticAssets();
app.Run();

And it's true that there's no app.UseAuthentication() middleware which is different from what the document states. Then which one is correct, is it necessary to have app.UseAuthentication()?

I think it's not necessary. I find github issue here and I'm afraid app.UseAuthentication() is no longer necessary. I can also find similar description in [minimal API document](it's not necessary to invoke UseAuthentication or UseAuthorization to register the middlewares because WebApplication does this automatically).

it's not necessary to invoke UseAuthentication or UseAuthorization to register the middlewares because WebApplication does this automatically after AddAuthentication or AddAuthorization are called.

And the most important is that the app could also work well without app.UseAuthentication() no matter we host the app in IIS(requires to enable windows authentication manually in IIS manager) or kestrel.

By the way, I can also reproduce your issue to put app.UseStatusCodePagesWithReExecute("/StatusCode/{0}"); before app.UseAuthentication() and the issue is resolved by putting it behind app.UseAuthentication(). I'm afraid this is due to the web server already handles what app.UseAuthentication() does so that in server side the real effect is UseAuthentication is executed before UseStatusCodePagesWithReExecute.