#390 Add back AutomaticAuthentication for opt-out.

src/Microsoft.AspNetCore.Server.IISIntegration/IISMiddleware.cs

@@ -110,8 +110,9 @@ namespace Microsoft.AspNetCore.Server.IISIntegration
 
             if (_options.ForwardWindowsAuthentication)
             {
+                // We must always process and clean up the windows identity, even if we don't assign the User.
                 var result = await httpContext.AuthenticateAsync(IISDefaults.AuthenticationScheme);
-                if (result.Succeeded)
+                if (result.Succeeded && _options.AutomaticAuthentication)
                 {
                     httpContext.User = result.Principal;
                 }

src/Microsoft.AspNetCore.Server.IISIntegration/IISOptions.cs

@@ -6,8 +6,15 @@ namespace Microsoft.AspNetCore.Builder
     public class IISOptions
     {
         /// <summary>
-        /// If true authentication middleware will try to authenticate using AspNetCoreModule windows authentication
-        /// If false authentication components won't be added
+        /// If true the middleware should set HttpContext.User. If false the middleware will only provide an
+        /// identity when explicitly requested by the AuthenticationScheme.
+        /// Note Windows Authentication must also be enabled in IIS for this to work.
+        /// </summary>
+        public bool AutomaticAuthentication { get; set; } = true;
+
+        /// <summary>
+        /// Used to indicate if the authentication handler should be registered. This is only done if ANCM indicates
+        /// IIS has a non-anonymous authentication enabled, or for back compat with ANCMs that did not provide this information.
         /// </summary>
         internal bool ForwardWindowsAuthentication { get; set; } = true;