asp.net mvc 4 - Use Anonymous authentication in MVC4 on single controller when the whole application uses Windows Authenticaion

Question

I have an MVC4 Web application which uses Windows Authentication, that is in web.config I have
<authentication mode="Windows" /> And that works fine and everything is ok.

However now I need a controller (an Web API controller in fact) that should be accessed anonymously from a third party component. The problem is that every time I want to invoke this method it requests user credentials.

I tried putting AllowAnonymous attribute to controller and methods but it was not successful.

[AllowAnonymous] public bool Get(string Called, string Calling, string CallID, int direction)

I checked on both IIS Express and IIS 8 with Anonymous authentication and Windows authentication enabled.

It seems that windows authentication precedes any other authentication and cannot be overridden.

Is there a way to accomplish this?

Answer 1

Add this to your Web.config. Here, my controller is named "WebhookController".

<location path="Webhook">
  <system.web>
    <authorization>
      <allow users="*"/>
    </authorization>
  </system.web>
</location>

See this KB article for more info.

Edit - As Erik mentioned below, in MVC applications you should not use web.config <authorization> tags for security. Instead, use [Authorize] attributes. Doing so will allow your [AllowAnonymous] attributes to work correctly. You can read more about this here.