How to add API Authentication and authorization in web server (Kestrel - Self hosted) created in .Net Standard 2.0.

originally asp.net supported windows authentication via IIS hosting module passing the windows token handle to the asp.net core runtime. this allowed IIS to perform all the windows authentication.

to support asp.net core self hosting (which no longer uses libuv), a new nuget package was written to fully implement windows/kerberos authentication for asp.net core 3.1+. its actually part of the aspnetcore build and not independant. I believe when hosted in IIS it still uses IIS to authenticate.

Windows authentication is complex (as it is an out of band protocol and not part of the http stream) and you are not likely to find an owin implementation. Your best bet is to host with IIS/IIS express.

if IIS is not an option, then easiest approach is to implement basic authentication and use pinvoke to call the windows api to verify the login/password.

https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-logonusera

Hi @Amol Rajput ,

You're correct that Microsoft.AspNetCore.Authentication.Negotiate is not compatible with .NET Standard 2.0, as it's designed for ASP.NET Core 3.0+ and later. Since you're constrained to .NET Standard 2.0 due to dependencies on .NET Framework, here are some alternative approaches and workarounds you can consider:

Option 1: Use Windows Authentication via HttpListener or OWIN

If you're self-hosting with Kestrel but need Windows Authentication, consider using OWIN (Open Web Interface for .NET) with Katana components. These libraries support Windows Authentication and can be used in .NET Framework projects that reference .NET Standard libraries.

OWIN Middleware: You can use Microsoft.Owin.Security and Microsoft.Owin.Host.HttpListener to create a self-hosted server with Windows Authentication.

WindowsAuth Middleware: Use UseWindowsAuthentication() in OWIN to enable Windows auth.

Note: This approach requires hosting the authentication layer in a .NET Framework project and calling into your .NET Standard logic.

Option 2: Reverse Proxy with IIS or HttpSys

Another workaround is to host your Kestrel server behind IIS or HttpSys, which supports Windows Authentication natively.

Configure IIS to handle Windows Authentication.

Use IIS as a reverse proxy to forward requests to your Kestrel server.

Extract the authenticated user identity from the forwarded headers (e.g., X-Windows-Auth).

This allows you to keep your .NET Standard codebase while leveraging IIS for authentication.

Option 3: Custom Middleware for NTLM/Kerberos

Implementing NTLM or Kerberos authentication manually is not recommended due to complexity and security concerns. However, if you must, you can:

Use a third-party library like Kerberos.NET to parse and validate Kerberos tickets.

Write custom middleware to extract and validate the Authorization header.

Please note that this is a low-level and error-prone approach. Use only if other options are not viable.

To conclude, since AddNegotiate() is not available in .NET Standard 2.0, your best options are:

Use OWIN/Katana in a .NET Framework host.

Host behind IIS or HttpSys for Windows Authentication.

• Avoid manual NTLM/Kerberos unless absolutely necessary.

Hope this helps.