typically webform pages do not support bearer tokens, as they use cookie authentication. you need to add bearer token support to your application.
Is there a way to expose a single aspx page for anonymous access in a .NET 4.7.2 ASP.NET Web Forms running with Azure AD Authentication?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 42%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECE%3C/text%3E%3C/svg%3E)
Ciaccio, Ed
0
Reputation points
We have a .NET 4.7.2 ASP.NET Web Forms application deployed under IIS running with Azure Active Directory Authentication.
The web app is registered as an application on Azure AD and requires users to login before accessing the site.
Is there a way to expose a single aspx page for anonymous access?
Or perhaps access the page via a token acquired from Azure, without requiring the user to login?
We are trying to return the aspx page as a byte array.
Prior to Azure AD, WebClient was used to access the page, passing in a username and password.
Below please find some sample code:
System.Net.WebClient webClient = new System.Net.WebClient();
Uri requestUri = new Uri(m_url);
System.Net.NetworkCredential credentials = new System.Net.NetworkCredential(SiteSettings.AlerterUserName, SiteSettings.AlerterPassword, SiteSettings.AlerterDomain);
System.Net.CredentialCache credentialCache = new System.Net.CredentialCache();
credentialCache.Add(new Uri(SiteSettings.SiteUrl), "NTLM", credentials);
webClient.Credentials = credentialCache;
byte[] raw = webClient.DownloadData(requestUri);
m_body += System.Text.Encoding.Default.GetString(raw);
This is no longer valid with Azure.
We have replaced the use of WebClient with HttpClient, however instead of the requested page being returned, the site is requiring a login:
string token = GetAccessToken();
using (HttpClient httpClient = new HttpClient())
{
httpClient.BaseAddress = new Uri(m_url);
httpClient.DefaultRequestHeaders.Remove("Authorization");
httpClient.DefaultRequestHeaders.Add("Authorization", "Bearer " + token);
byte[] raw = httpClient.GetByteArrayAsync(m_url).GetAwaiter().GetResult();
m_body += System.Text.Encoding.Default.GetString(raw);
}
The following is returned:
<!-- Copyright (C) Microsoft Corporation. All rights reserved. -->
<!DOCTYPE html>
<html dir="ltr" class="" lang="en">
<head>
<title>Sign in to your account</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=2.0, user-scalable=yes">
...
Thank you,
Ed
Developer technologies | ASP.NET | ASP.NET API
2 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 61%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
Bruce (SqlWork.com) 79,101 Reputation points Volunteer Moderator2025-05-07T18:27:41.67+00:00 -
Ciaccio, Ed 0 Reputation points
2025-05-07T19:13:43.36+00:00 Thank you for the response.
Is that accomplished thru code and/or the Azure portal?
-
Bruce (SqlWork.com) 79,101 Reputation points Volunteer Moderator
2025-05-07T19:27:12.5866667+00:00 You don’t explain your current configuration. Are you use azure easy auth, or the owin pipline and Microsoft identity?
-
Ciaccio, Ed 0 Reputation points
2025-05-07T19:38:31.1966667+00:00 Owin pipline and Microsoft identity.
We mostly followed:
-
Bruce (SqlWork.com) 79,101 Reputation points Volunteer Moderator
2025-05-08T16:19:35.34+00:00 The official docs for the old framework are slowly disappearing. You will need to google for examples. But basically you add UseJwtBearerAuthentication middleware and configure it. As both middleware will run on each request, either one can create the principal.
-
Ciaccio, Ed 0 Reputation points
2025-05-08T21:32:52.5866667+00:00 From what I can see, JwtBearer requires .NET Core; this is a .NET 4.7.2 WebForms app.
-
Bruce (SqlWork.com) 79,101 Reputation points Volunteer Moderator
2025-05-13T16:17:46.36+00:00 the owin pipeline supports jwt tokens. google for examples,
-
Ciaccio, Ed 0 Reputation points
2025-05-13T18:00:19.4833333+00:00 I ended up installing Microsoft.IdentityModel.JsonWebTokens and added the following to Startup.cs:
app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions
{
*AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Active,* *TokenValidationParameters = new TokenValidationParameters* *{* *ValidateIssuer = true,* *ValidIssuer = aadInstance,* *ValidateAudience = true,* *ValidAudience = redirectUrl,* *ValidateLifetime = true,* *ValidateIssuerSigningKey = true* *}*});
The token seems to be acquired successfully as per the screenshot.
However when trying to access the aspx page using the token, Azure requires a signin:
httpClient.DefaultRequestHeaders.Authorization = AuthenticationHeaderValue.Parse(token.CreateAuthorizationHeader());
byte[] raw = httpClient.GetByteArrayAsync(PathToASPXPage).GetAwaiter().GetResult();
<head>
<title>**Sign in to your account**</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=2.0, user-scalable=yes">I wonder if the ASPX page needs to be changed to an API call.
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 49%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDN%3C/text%3E%3C/svg%3E)
Danny Nguyen (WICLOUD CORPORATION) 800 Reputation points Microsoft External Staff2025-07-08T08:00:45.6233333+00:00 Hi,
To allow anonymous access to a specific ASPX page while using Azure AD for authentication, here are a few things you can try:
Web.config Modifications: You can modify your
web.configfile to allow anonymous access for that specific page. You’ll want to add a<location>section that explicitly allows anonymous access:<location path="YourPage.aspx"> <system.web> <authorization> <allow users="*"/> </authorization> </system.web> </location>Review Startup Configuration: Since you mentioned you are utilizing OWIN, make sure your middleware for JWT bearer authentication is set up correctly and that it does not block access to your specified page inadvertently.
Handling Token in HTTP Client: Ensure that the access token you are generating has the correct scopes and permissions if you're attempting any secured resources.
As for using a token without requiring a user to login, note that ASP.NET Web Forms typically rely on cookie-based authentication rather than bearer tokens. If possible, consider:
- Converting the ASPX page to an API endpoint – instead of returning an ASPX page, you could transform the logic to serve the data you need in a web API response. This will allow better integration with bearer tokens.
Implementing Claims-based Access: Within your application, consider checking the user's claims directly in the code behind of your ASPX page to control the content returned based on whether the user is authenticated or not.It looks like you're trying to expose a single ASPX page for anonymous access in your .NET 4.7.2 Web Forms app that's configured with Azure AD authentication. I understand you're currently hitting a login prompt when trying to access this page with a token, even after taking steps to implement bearer token support.
To allow anonymous access to a specific ASPX page while using Azure AD for authentication, here are a few things you can try:
Web.config Modifications: You can modify your
web.configfile to allow anonymous access for that specific page. You’ll want to add a<location>section that explicitly allows anonymous access:<location path="YourPage.aspx"> <system.web> <authorization> <allow users="*"/> </authorization> </system.web> </location>**Review Startup Configuration**: Since you mentioned you are utilizing OWIN, make sure your middleware for JWT bearer authentication is set up correctly and that it does not block access to your specified page inadvertently. **Handling Token in HTTP Client**: Ensure that the access token you are generating has the correct scopes and permissions if you're attempting any secured resources. As for using a token without requiring a user to login, note that ASP.NET Web Forms typically rely on cookie-based authentication rather than bearer tokens. If possible, consider: **Converting the ASPX page** to an API endpoint – instead of returning an ASPX page, you could transform the logic to serve the data you need in a web API response. This will allow better integration with bearer tokens. **Implementing Claims-based Access**: Within your application, consider checking the user's claims directly in the code behind of your ASPX page to control the content returned based on whether the user is authenticated or not.-
Danny Nguyen (WICLOUD CORPORATION) 800 Reputation points Microsoft External Staff
2025-07-11T08:16:23.62+00:00 If you have any problems, feel free to reach out
-
Danny Nguyen (WICLOUD CORPORATION) 800 Reputation points Microsoft External Staff
2025-08-12T03:27:15.6466667+00:00 Just checking in — I haven’t heard back from you for a while,
I hope everything works out as you expected. I understand things can get busy or priorities may shift. If you’re still experiencing the issue or need further support, feel free to jump back in at any time — I will always be here and happy to help.
Wishing you all the best with your work!
Sign in to comment