Support for both Anonymous and Windows Auth in API

We are using Universal in IIS and it works fine for authentication/authorization.
The problem/ question we got now: why not have some endpoints without auth.

The problem is I can’t see a way to have both options available - am I missing something?

When I enable anon on IIS, I get everything w/o auth.
When it is disabled - I have to auth always (even if endpoint has no Role specified).

I’d love to be able to support both on the same box w/o having something in a form of two separate sites (that would also work, it just feels like a workaround). On the other hand - I’m not sure if it is even possible (as it feels like IIS just won’t allow that level of granularity).

Product: PowerShell Universal
Version: 1.5.0

I’ll have to look into this. I wouldnt have expected anon to provide access to everything without auth as I would assume the Universal server would at least be returning 401s or 403s if you try to access protected endpoints.

Version: 1.5.6

I actually can’t reproduce this and it seems to work as expected. Let me know if you can spot what I’m doing differently. Let me know if you need more information.

Server Auth Settings:

Web App Settings:

Web Config

<?xml version="1.0" encoding="utf-8"?>
      <add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
    <aspNetCore processPath=".\Universal.Server.exe" arguments="" forwardWindowsAuthToken="true" stdoutLogEnabled="true" stdoutLogFile=".\logs\log" hostingModel="OutOfProcess" />
<!--ProjectGuid: 588ACF2E-9AE5-4DF1-BC42-BCE16A4C4EDE-->


  "Kestrel": {
    "Endpoints": {
      "HTTP": {
        "Url": "http://*:5000"
    "RedirectToHttps": "false"
  "ApplicationInsights": {
    "InstrumentationKey": ""
  "Logging": {
    "Path": "%PROGRAMDATA%/PowerShellUniversal/log.txt",
    "RetainedFileCountLimit": 31,
    "LogLevel": {
      "Default": "Debug",
      "Microsoft": "Debug",
      "Microsoft.Hosting.Lifetime": "Debug"
  "AllowedHosts": "*",
  "CorsHosts": "",
  "Data": {
    "RepositoryPath": "%ProgramData%\\UniversalAutomation\\Repository",
    "ConnectionString": "%ProgramData%\\UniversalAutomation\\database.db",
    "GitRemote": "",
    "GitUserName": "",
    "GitPassword": "", 
    "ConfigurationScript": ""
  "Api": {
    "Url": ""
  "Authentication" : {
    "Windows": {
      "Enabled": "true"
    "WSFed": {
      "Enabled": "false",
      "MetadataAddress": "",
      "Wtrealm": "",
      "CallbackPath": "/auth/signin-wsfed"
    "OIDC": {
      "Enabled": "false",
      "CallbackPath": "/auth/signin-oidc",
      "ClientID": "",
      "ClientSecret": "",
      "Resource": "",
      "Authority": "",
      "ResponseType": "",
      "SaveTokens": "false"
    "SessionTimeout": "25"
  "Jwt": {  
    "SigningKey": "PleaseUseYourOwnSigningKeyHere",  
    "Issuer": "IronmanSoftware",
    "Audience": "PowerShellUniversal"
  "UniversalDashboard": {
    "AssetsFolder": "%ProgramData%\\PowerShellUniversal\\Dashboard"
  "ShowDevTools": false,
  "HideAdminConsole": false


Testing (from PS7.1)

PS C:\Users\adamr> invoke-restmethod http://localhost:82/authed
Invoke-RestMethod: Response status code does not indicate success: 401 (Unauthorized).
PS C:\Users\adamr> invoke-restmethod http://localhost:82/test
PS C:\Users\adamr> invoke-restmethod http://localhost:82/authed -UseDefaultCredentials -AllowUnencryptedAuthentication
PS C:\Users\adamr> invoke-restmethod http://localhost:82/authed -Headers @{ Authorization = "Bearer eyJhbG///" }

I cannot access the Admin Console without authenticating.

OK, I’m a bit confused now, because it looks like I have identical config (minus endpoint name/definition) but get different results…

irm -UseDefaultCredentials

id             : 4
url            : /param
method         : GET
scriptBlock    :
                     Param (
                         $Foo = 'bar'

authentication : True
role           : Administrator
regEx          : False
errorAction    : 0

So in theory that one should not let me in w/o credentials, right…?
But in reality I get this…:


Just to be sure (SID changed) here is definition of Administrator role:

irm -UseDefaultCredentials | % Policy

    Param (


Interesting part is that swagger API will honor requirement to have creds:

irm | % Policy
irm : The remote server returned an error: (401) Unauthorized.

So now I’m thinking I’m doing something wrong with endpoint configuration?