Fix Windows Authentication Kestrel documentation to highlight UseAuthentication middleware (#36230)

Copilot · wadepickett · web-flow · commit 61a3eba751bf · 2025-10-17T14:15:36.000-07:00
* Initial plan * Fix Windows Authentication Kestrel section to highlight UseAuthentication middleware Co-authored-by: wadepickett <10985336+wadepickett@users.noreply.github.com> * Apply suggestion from @wadepickett Fixed a misleading sentence. Kestral does not natively implement Windows Authentication, the NuGet package enables it. --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: wadepickett <10985336+wadepickett@users.noreply.github.com> Co-authored-by: Wade Pickett <wpickett@microsoft.com>
diff --git a/aspnetcore/security/authentication/windowsauth.md b/aspnetcore/security/authentication/windowsauth.md
@@ -5,7 +5,7 @@ description: Learn how to configure Windows Authentication in ASP.NET Core for I
 monikerRange: '>= aspnetcore-3.1'
 ms.author: wpickett
 ms.custom: mvc
-ms.date: 08/10/2025
+ms.date: 10/17/2025
 uid: security/authentication/windowsauth
 ms.ai: assisted
 ---
@@ -168,23 +168,29 @@ Use **either** of the following approaches:
 
 ## Kestrel
 
-The [`Microsoft.AspNetCore.Authentication.Negotiate` NuGet package](https://www.nuget.org/packages/Microsoft.AspNetCore.Authentication.Negotiate) can be used with [Kestrel](xref:fundamentals/servers/kestrel) to support Windows Authentication using Negotiate and Kerberos on Windows, Linux, and macOS.
+The [`Microsoft.AspNetCore.Authentication.Negotiate` NuGet package](https://www.nuget.org/packages/Microsoft.AspNetCore.Authentication.Negotiate) can be used with [Kestrel](xref:fundamentals/servers/kestrel) to enable Windows Authentication using Negotiate and Kerberos on Windows, Linux, and macOS.
 
 > [!WARNING]
 > Credentials can be persisted across requests on a connection. *Negotiate authentication must not be used with proxies unless the proxy maintains a 1:1 connection affinity (a persistent connection) with Kestrel.*
 
 > [!NOTE]
 > The Negotiate handler detects if the underlying server supports Windows Authentication natively and if it is enabled. If the server supports Windows Authentication but it is disabled, an error is thrown asking you to enable the server implementation. When Windows Authentication is enabled in the server, the Negotiate handler transparently forwards authentication requests to it.
 
-Authentication is enabled by the following highlighted code to `Program.cs`:
+Authentication and a fallback authorization policy are enabled by the following highlighted code in `Program.cs`:
+
+[!code-csharp[](windowsauth/6.0samples/WebRPwinAuth/Program.cs?name=snippet1&highlight=1,5-6,8-11,26-27)]
 
-[!code-csharp[](windowsauth/6.0samples/WebRPwinAuth/Program.cs?name=snippet1&highlight=1,4-11,27-28)]
+The preceding code was generated by the ASP.NET Core Razor Pages template with **Windows Authentication** specified.
 
-The preceding code was generated by the ASP.NET Core Razor Pages template with **Windows Authentication** specified. The following APIs are used in the preceding code:
+Highlighted lines:
 
-* <xref:Microsoft.Extensions.DependencyInjection.AuthenticationServiceCollectionExtensions.AddAuthentication%2A>
-* <xref:Microsoft.Extensions.DependencyInjection.NegotiateExtensions.AddNegotiate%2A> 
-* <xref:Microsoft.AspNetCore.Builder.AuthAppBuilderExtensions.UseAuthentication%2A>
+* 5–6: <xref:Microsoft.Extensions.DependencyInjection.AuthenticationServiceCollectionExtensions.AddAuthentication%2A> and <xref:Microsoft.Extensions.DependencyInjection.NegotiateExtensions.AddNegotiate%2A> register and configure the Negotiate authentication handler.
+* 8–11: <xref:Microsoft.Extensions.DependencyInjection.AuthorizationServiceCollectionExtensions.AddAuthorization%2A> with a fallback policy enforces authenticated users by default.
+* 26: <xref:Microsoft.AspNetCore.Builder.AuthAppBuilderExtensions.UseAuthentication%2A> executes authentication handlers for each request and populates <xref:Microsoft.AspNetCore.Http.HttpContext.User?displayProperty=nameWithType>.
+* 27: <xref:Microsoft.AspNetCore.Builder.AuthorizationAppBuilderExtensions.UseAuthorization%2A> evaluates authorization policies, including the fallback policy.
+
+> [!NOTE]
+> Calling <xref:Microsoft.Extensions.DependencyInjection.AuthenticationServiceCollectionExtensions.AddAuthentication%2A> and <xref:Microsoft.Extensions.DependencyInjection.NegotiateExtensions.AddNegotiate%2A> registers and configures the Negotiate handler; it does not run authentication per request. The Authentication middleware (<xref:Microsoft.AspNetCore.Builder.AuthAppBuilderExtensions.UseAuthentication%2A>) invokes the handler and populates <xref:Microsoft.AspNetCore.Http.HttpContext.User?displayProperty=nameWithType>, and must appear before <xref:Microsoft.AspNetCore.Builder.AuthorizationAppBuilderExtensions.UseAuthorization%2A> for policy evaluation to work.
 
 <a name="rbac"></a>
 ### Kerberos authentication and role-based access control (RBAC)
