diff --git a/src/Microsoft.AspNetCore.Server.IISIntegration/IISMiddleware.cs b/src/Microsoft.AspNetCore.Server.IISIntegration/IISMiddleware.cs
index d51cb5de57..506a4894c7 100644
--- a/src/Microsoft.AspNetCore.Server.IISIntegration/IISMiddleware.cs
+++ b/src/Microsoft.AspNetCore.Server.IISIntegration/IISMiddleware.cs
@@ -110,8 +110,9 @@ namespace Microsoft.AspNetCore.Server.IISIntegration
if (_options.ForwardWindowsAuthentication)
{
+ // We must always process and clean up the windows identity, even if we don't assign the User.
var result = await httpContext.AuthenticateAsync(IISDefaults.AuthenticationScheme);
- if (result.Succeeded)
+ if (result.Succeeded && _options.AutomaticAuthentication)
{
httpContext.User = result.Principal;
}
diff --git a/src/Microsoft.AspNetCore.Server.IISIntegration/IISOptions.cs b/src/Microsoft.AspNetCore.Server.IISIntegration/IISOptions.cs
index dd012eef86..d175236e0b 100644
--- a/src/Microsoft.AspNetCore.Server.IISIntegration/IISOptions.cs
+++ b/src/Microsoft.AspNetCore.Server.IISIntegration/IISOptions.cs
@@ -6,8 +6,15 @@ namespace Microsoft.AspNetCore.Builder
public class IISOptions
{
///
- /// If true authentication middleware will try to authenticate using AspNetCoreModule windows authentication
- /// If false authentication components won't be added
+ /// If true the middleware should set HttpContext.User. If false the middleware will only provide an
+ /// identity when explicitly requested by the AuthenticationScheme.
+ /// Note Windows Authentication must also be enabled in IIS for this to work.
+ ///
+ public bool AutomaticAuthentication { get; set; } = true;
+
+ ///
+ /// Used to indicate if the authentication handler should be registered. This is only done if ANCM indicates
+ /// IIS has a non-anonymous authentication enabled, or for back compat with ANCMs that did not provide this information.
///
internal bool ForwardWindowsAuthentication { get; set; } = true;