IIS: Using Windows Authentication assigns ClaimsPrincipal to User if AuthenticationSchemes are defined in an AuthorizationPolicy

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

When running under IIS / IIS Express with Windows Authentication enabled, defining an AuthorizationPolicy with AuthenticationSchemes will assign a ClaimsPrincipal to the User of the current request instead of a WindowsPrincipal.

In the past (.NET Core 2.1), I’ve unknowingly worked around this by returning an empty string array into the authenticationScheme parameter in the AuthorizationPolicy constructor, but I’ve noticed that simply adding any existing defined authentication scheme to the parameter - including “Windows” - will result in a ClaimsPrincipal assigned to HttpContext.User instead of a WindowsPrincipal.

This will return a WindowsPrincipal when HttpContext.User or ControllerBase.User is called.

builder.Services.AddAuthorization(pol =>
 {
     pol.AddPolicy("WindowsAuth",
         new AuthorizationPolicy(
             new[] {new SomeRequirement() }, 
             Enumerable.Empty<string>());
 });

This will return a ClaimsPrincipal when HttpContext.User or ControllerBase.User is called.

builder.Services.AddAuthorization(pol =>
 {
     pol.AddPolicy("WindowsAuth",
         new AuthorizationPolicy(
             new[] {new SomeRequirement() }, 
             new string[] {"Windows"});
 });

I’m currently experiencing this in .NET Core 3.1, but realized that it also affects .NET 6 (and probably 5)

Expected Behavior

If “Windows” is passed into the set of AuthenticationSchemes an AuthorizationPolicy should affect, a WindowsPrincipal should be assigned to the User of the current request instead of a ClaimsPrincipal.

Steps To Reproduce

Repro Repo: https://github.com/snickler/authpolicyrepro

Exceptions (if any)

No response

.NET Version

6.0.101

Anything else?

No response