UUF: Clarify Windows Authentication use for Configure Windows Authentication

[wadepickett]

Description

Transferred from Unified User Feedback system.

Clarify whether/when Windows Authentication should be used:

Verbatim user feedback:
"This is a whole lot of info but you never say if it SHOULD BE DONE THIS WAY! you have a note that says "Windows Authentication isn't supported with HTTP/2. Authentication challenges can be sent on HTTP/2 responses, but the client must downgrade to HTTP/1.1 before authenticating." This sounds like Windows Authentication is being deprecated! What is the deal? If it is not the best way to authenticate your Intranet apps, WHAT IS?"

Analysis:
The current documentation on Windows Authentication is comprehensive but lacks clear guidance on:

• Whether Windows Authentication is still recommended for intranet applications
• When to use Windows Authentication vs. alternative authentication methods
• A clear statement about the long-term viability of Windows Authentication
• Best practices section for different scenarios
• The HTTP/2 limitation note ("Windows Authentication isn't supported with HTTP/2") raises concerns without providing context about what this means for production applications.

Recommendation to consider:
Add a new section early in the document that provides clear guidance:

• When Windows Authentication is appropriate (corporate networks, Active Directory environments)
• Alternative authentication methods for different scenarios (especially for internet-facing applications)
• Clarify the HTTP/2 limitation and its practical impact

Page URL

https://learn.microsoft.com/en-us/aspnet/core/security/authentication/windowsauth?view=aspnetcore-9.0&tabs=visual-studio

Content source URL

https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/security/authentication/windowsauth.md

Document ID

fbc36c26-9992-1f4c-66d3-02f898ee7ec4

Platform Id

7e670460-f1b6-a509-340f-e6936ea78313

Article author

@wadepickett

Metadata

• ID: 401ad9a0-9e51-80a2-5846-82e9790d7257
• PlatformId: 7e670460-f1b6-a509-340f-e6936ea78313
• Service: aspnet-core
• Sub-service: security

Related Issues

---

Associated WorkItem - 496898

[timdeschryver]

I'm not an expert on this, but I can give this a go if you want.

[wadepickett]

Quick draft proposal to consider below:

Issue Summary
This is a valid issue. The current Windows Authentication documentation provides comprehensive technical information but lacks clear guidance on when Windows Authentication is appropriate to use and how it compares to alternative authentication methods. The HTTP/2 limitation note raises particular concerns for users without proper context.

Recommendation
Add a new section early in the document that provides clear guidance about Windows Authentication usage scenarios. The existing content is technically accurate but needs better context about when this authentication method is appropriate.

Files to Modify
aspnetcore/security/authentication/windowsauth.md
Add a new section after the introduction paragraphs (around line 22)
The section should clarify Windows Authentication usage scenarios
Proposed Changes
Add a new section titled "When to use Windows Authentication" after the introduction paragraphs (around line 22), before the "Proxy and load balancer scenarios" section:

Proposed new section as markdown (links have not been set where needed yet):

When to use Windows Authentication

Windows Authentication is recommended for intranet applications where:

• Users have Windows domain accounts (Active Directory)
• Servers run on the same corporate network as clients
• You need seamless authentication experiences for domain users
• You want to leverage existing Windows/Active Directory infrastructure

Advantages

• No separate login UI required - users are automatically authenticated using their Windows credentials
• Integration with Active Directory enables role-based authorization using domain groups
• No need to manage separate user credentials or implement password reset flows
• Secure credential handling through Kerberos protocol

Considerations and limitations

• HTTP/2 limitation: Windows Authentication isn't fully supported with HTTP/2. While authentication challenges can be sent over HTTP/2, the client must downgrade to HTTP/1.1 to authenticate. This is a protocol limitation, not a deprecation of Windows Authentication. Once authenticated, normal HTTP/2 communication can resume.

• Internet-facing applications: Windows Authentication is typically not suitable for internet-facing applications since:

  • External users don't have Windows domain accounts
  • Exposing Windows Authentication outside a corporate network introduces security risks
  • Firewalls and proxies may interfere with the authentication process

Alternatives for different scenarios

• Internet-facing applications:

  • OpenID Connect with external identity providers
  • ASP.NET Core Identity with local user accounts
  • Azure Active Directory (AAD) for Microsoft 365 environments

• Mixed environments with both intranet and internet users:

  • Active Directory Federation Services (ADFS) with OpenID Connect
  • Azure Active Directory with hybrid configuration

• Corporate environments using modern authentication:

  • Azure Active Directory with single sign-on
  • SAML-based solutions with third-party identity providers

[wadepickett]

@timdeschryver, sorry I missed your offer! Feel free to take this one on if you are interested! I added some generated draft proposal notes in this discussion which may be helpful, but it is just a quick draft suggestion.

[timdeschryver]

I'll try to open a PR tomorrow based on your suggestions @wadepickett, thanks for the draft.

[wadepickett]

Awesome, thanks @timdeschryver!