I have a website running on IIS, it works on Windows Authentication (intranet ActiveDirectory), and I am planning to open it to Internet with token-based OAuth (anonymous authentication).
In my expectation, the website will first challenge the user with Windows authentication whereever a request comes from, if the user does not provide Windows credentials, the authentication will fall back to Anonymous Authentication for OAuth.
However, enabling both authentication method does not work as expected. The webiste always authenticate the user with Anonymous Authencation in the first place. So Windows Authentication does not get a chance to work.
I tried adujusting the Modules order in IIS Manager by moving Anonymous Authentication after Windows Authentication, but it made no difference.
Please share some insight on how I can achieve my expection.
update: Duplicating the website with seperation authentication method will sure work, but maintaining only one website in a simpler infrastructer is always better.
