OAuth in Grafana with Windows Authentication over IIS

Good Day,

I am struggling with implementing the OAuth in a hosted NET-Application over IIS.
The main reason it is not working is because of the Windows Authentication, which I use for my NET-App over IIS.
When I turn on Anonymous Authentication everything works fine and I get redirected to my Dashboard, with the user I authenticate in my NET-App (Blazor Server).
But as soon as I turn Anonymous Authentication OFF in IIS, it will not work with anymore.

Is it possible to get it to work with Windows Authentication only? Do I need a specific configuration in web.config is the published App for that?

I am using Grafana 9.1.3, IIS 10, Firefox 104.0.2 and .NET 6.0 Blazor.

These are the changes in my custom.ini-File:

############## Server #################
# Protocol (http, https, h2, socket)
protocol = http

# The http port  to use
http_port = 3010

# The public facing domain name used to access grafana from a browser
domain = localhost

# The full public facing url you use in browser, used for redirects and emails
# If you use reverse proxy and sub path specify full url (with sub path)
root_url = %(protocol)s://%(domain)s:%(http_port)s/grafana

# Serve Grafana from subpath specified in `root_url` setting. By default it is set to `false` for compatibility reasons.
serve_from_sub_path = true

############# Generic OAuth ############
enabled = true
name = OAuth
allow_sign_up = true
client_id = postman
client_secret = postman-secret2
scopes = api openid
empty_scopes = false
email_attribute_name = 
;email_attribute_name = email:primary
;email_attribute_path =
;login_attribute_path =
;name_attribute_path =
;id_token_attribute_name =
auth_url = http://localhost:801/connect/authorize
token_url = http://localhost:801/connect/token
api_url = http://localhost:801/connect/userinfo
;teams_url =
;allowed_domains =
;team_ids =
;allowed_organizations =
;role_attribute_path =
;role_attribute_strict = false
;groups_attribute_path =
;team_ids_attribute_path =
tls_skip_verify_insecure = true
;tls_client_cert =
;tls_client_key =
;tls_client_ca =
;use_pkce = false
;auth_style =

This is the Firefox output with Windows Authentication in IIS:

The Error in the log-File says this:

logger=context traceID=00000000000000000000000000000000 userId=10 orgId=1 uname=some@email3 t=2022-10-07T10:18:47.1262417+02:00 level=info msg="Request Completed" method=GET path=/login/generic_oauth status=302 remote_addr= time_ms=3 duration=3.293ms size=284 referer=http://localhost:3010/grafana/login traceID=00000000000000000000000000000000 handler=/login/:name
logger=oauth t=2022-10-07T10:18:47.3414135+02:00 level=info msg="state check" queryState=714629eaa67f449c00be02d99681bd14d05f6ce934bdcdfe86198b5ed8b0224a cookieState=714629eaa67f449c00be02d99681bd14d05f6ce934bdcdfe86198b5ed8b0224a
logger=context traceID=00000000000000000000000000000000 userId=10 orgId=1 uname=some@email3 t=2022-10-07T10:18:47.3447719+02:00 level=error msg=login.OAuthLogin(NewTransportWithCode) error="oauth2: cannot fetch token: 401 Unauthorized\nResponse: <!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\"> \n<html xmlns=\"http://www.w3.org/1999/xhtml\"> \n<head> \n<title>IIS 10.0 Detailed Error - 401.2 - Unauthorized</title> \n<style type=\"text/css\"> \n<!-- \nbody{margin:0;font-size:.7em;font-family:Verdana,Arial,Helvetica,sans-serif;} \ncode{margin:0;color:#006600;font-size:1.1em;font-weight:bold;} \n.config_source code{font-size:.8em;color:#000000;} \npre{margin:0;font-size:1.4em;word-wrap:break-word;} \nul,ol{margin:10px 0 10px 5px;} \nul.first,ol.first{margin-top:5px;} \nfieldset{padding:0 15px 10px 15px;word-break:break-all;} \n.summary-container fieldset{padding-bottom:5px;margin-top:4px;} \nlegend.no-expand-all{padding:2px 15px 4px 10px;margin:0 0 0 -12px;} \nlegend{color:#333333;;margin:4px 0 8px -12px;_margin-top:0px; \nfont-weight:bold;font-size:1em;} \na:link,a:visited{color:#007EFF;font-weight:bold;} \na:hover{text-decoration:none;} \nh1{font-size:2.4em;margin:0;color:#FFF;} \nh2{font-size:1.7em;margin:0;color:#CC0000;} \nh3{font-size:1.4em;margin:10px 0 0 0;color:#CC0000;} \nh4{font-size:1.2em;margin:10px 0 5px 0; \n}#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:\"trebuchet MS\",Verdana,sans-serif; \n color:#FFF;background-color:#5C87B2; \n}#content{margin:0 0 0 2%;position:relative;} \n.summary-container,.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;} \n.content-container p{margin:0 0 10px 0; \n}#details-left{width:35%;float:left;margin-right:2%; \n}#details-right{width:63%;float:left;overflow:hidden; \n}#server_version{width:96%;_height:1px;min-height:1px;margin:0 0 5px 0;padding:11px 2% 8px 2%;color:#FFFFFF; \n background-color:#5A7FA5;border-bottom:1px solid #C1CFDD;border-top:1px solid #4A6C8E;font-weight:normal; \n font-size:1em;color:#FFF;text-align:right; \n}#server_version p{margin:5px 0;} \ntable{margin:4px 0 4px 0;width:100%;border:none;} \ntd,th{vertical-align:top;padding:3px 0;text-align:left;font-weight:normal;border:none;} \nth{width:30%;text-align:right;padding-right:2%;font-weight:bold;} \nthead th{background-color:#ebebeb;width:25%; \n}#details-right th{width:20%;} \ntable tr.alt td,table tr.alt th{} \n.highlight-code{color:#CC0000;font-weight:bold;font-style:italic;} \n.clear{clear:both;} \n.preferred{padding:0 5px 2px 5px;font-weight:normal;background:#006633;color:#FFF;font-size:.8em;} \n--> \n</style> \n \n</head> \n<body> \n<div id=\"content\"> \n<div class=\"content-container\"> \n  <h3>HTTP Error 401.2 - Unauthorized</h3> \n  <h4>You are not authorized to view this page due to invalid authentication headers.</h4> \n</div> \n<div class=\"content-container\"> \n <fieldset><h4>Most likely causes:</h4> \n  <ul> \t<li>No authentication protocol (including anonymous) is selected in IIS.</li> \t<li>Only integrated authentication is enabled, and a client browser was used that does not support integrated authentication.</li> \t<li>Integrated authentication is enabled and the request was sent through a proxy that changed the authentication headers before they reach the Web server.</li> \t<li>The Web server is not configured for anonymous access and a required authorization header was not received.</li> \t<li>The \"configuration/system.webServer/authorization\" configuration section may be explicitly denying the user access.</li> </ul> \n </fieldset> \n</div> \n<div class=\"content-container\"> \n <fieldset><h4>Things you can try:</h4> \n  <ul> \t<li>Verify the authentication setting for the resource and then try requesting the resource using that authentication method.</li> \t<li>Verify that the client browser supports Integrated authentication.</li> \t<li>Verify that the request is not going through a proxy when Integrated authentication is used.</li> \t<li>Verify that the user is not explicitly denied access in the \"configuration/system.webServer/authorization\" configuration section.</li> \t<li>Create a tracing rule to track failed requests for this HTTP status code. For more information about creating a tracing rule for failed requests, click <a href=\"http://go.microsoft.com/fwlink/?LinkID=66439\">here</a>. </li> </ul> \n </fieldset> \n</div> \n \n<div class=\"content-container\"> \n <fieldset><h4>Detailed Error Information:</h4> \n  <div id=\"details-left\"> \n   <table border=\"0\" cellpadding=\"0\" cellspacing=\"0\"> \n    <tr class=\"alt\"><th>Module</th><td>&nbsp;&nbsp;&nbsp;IIS Web Core</td></tr> \n    <tr><th>Notification</th><td>&nbsp;&nbsp;&nbsp;AuthenticateRequest</td></tr> \n    <tr class=\"alt\"><th>Handler</th><td>&nbsp;&nbsp;&nbsp;aspNetCore</td></tr> \n    <tr><th>Error Code</th><td>&nbsp;&nbsp;&nbsp;0x80070005</td></tr> \n     \n   </table> \n  </div> \n  <div id=\"details-right\"> \n   <table border=\"0\" cellpadding=\"0\" cellspacing=\"0\"> \n    <tr class=\"alt\"><th>Requested URL</th><td>&nbsp;&nbsp;&nbsp;http://localhost:801/connect/token</td></tr> \n    <tr><th>Physical Path</th><td>&nbsp;&nbsp;&nbsp;F:\\repos\\Server\\Server\\bin\\Debug\\net6.0\\publish\\connect\\token</td></tr> \n    <tr class=\"alt\"><th>Logon Method</th><td>&nbsp;&nbsp;&nbsp;Not yet determined</td></tr> \n    <tr><th>Logon User</th><td>&nbsp;&nbsp;&nbsp;Not yet determined</td></tr> \n     \n   </table> \n   <div class=\"clear\"></div> \n  </div> \n </fieldset> \n</div> \n \n<div class=\"content-container\"> \n <fieldset><h4>More Information:</h4> \n  This error occurs when the WWW-Authenticate header sent to the Web server is not supported by the server configuration. Check the authentication method for the resource, and verify which authentication method the client used. The error occurs when the authentication methods are different. To determine which type of authentication the client is using, check the authentication settings for the client. \n  <p><a href=\"https://go.microsoft.com/fwlink/?LinkID=62293&amp;IIS70Error=401,2,0x80070005,17763\">View more information &raquo;</a></p> \n  <p>Microsoft Knowledge Base Articles:</p> \n <ul><li>907273</li><li>253667</li></ul> \n \n </fieldset> \n</div> \n</div> \n</body> \n</html> \n"
logger=context traceID=00000000000000000000000000000000 userId=10 orgId=1 uname=some@email3 t=2022-10-07T10:18:47.3447719+02:00 level=error msg="Request Completed" method=GET path=/login/generic_oauth status=500 remote_addr= time_ms=6 duration=6.0868ms size=1373 referer=http://localhost:3010/ traceID=00000000000000000000000000000000 handler=/login/:name

It says something about no selected authentication protocol? But Windows Authentication is selected. Why is this not passed to the header?
Maybe someone has worked on a similar problem and can get me a more clear understanding why this is happening with Grafana.

Best Regards

I used a different approach now, I use the windows dll “avdapi32.dll” now as it can validate my username in my local intranet aswell. C# code then:

public static extern bool LogonUser(string username, string domain, string password, int logType, int logpv, ref IntPtr intPtr); 

private void validateLogin() 
bool isAuthenticated = false; IntPtr ip = IntPtr.Zero; isAuthenticated = LogonUser(user, “rse.intern”, password, 2, 0, ref ip); 

Login in Grafana with IIS is done with the anonymous setting in IIS and OAuth in Grafana. In .NET I then use OpenIddict as my endpoint.