HttpContext.Current.User is null even though Windows Authentication is on
The answer to of moving the Application Pool back to classical is just delaying the problem.
Instead leave the application pool alone and move your authenticate check from Application_AuthenticateRequest(), to the next function in the pipeline:
Application_AuthorizeRequest(object sender, EventArgs e)By then the integrated Application Pool has completed the windows authentication allow you not to receive null from HttpContext.Current.User.
The pipeline can be found here (link provided by CarlosAg).
A visualization of the pipeline can be found on the asp website message lifecycle page. In the controller section checkout the two green boxes "Authentication filters" and "Authorization filters". These are the areas you are messing with.
Runtime Fidelity
In Integrated mode, the ASP.NET request-processing stages that are exposed to modules are directly connected to the corresponding stages of the IIS pipeline. The complete pipeline contains the following stages, which are exposed as HttpApplication events in ASP.NET:
- BeginRequest. The request processing starts.
- AuthenticateRequest. The request is authenticated. IIS and ASP.NET authentication modules subscribe to this stage to perform authentication.
- PostAuthenticateRequest.
- AuthorizeRequest. The request is authorized. IIS and ASP.NET authorization modules check whether the authenticated user has access to the resource requested.
- PostAuthorizeRequest.
- ResolveRequestCache. Cache modules check whether the response to this request exists in the cache, and return it instead of proceeding with the rest of the execution path. Both ASP.NET Output Cache and IIS Output Cache features execute.
- PostResolveRequestCache.
- MapRequestHandler. This stage is internal in ASP.NET and is used to determine the request handler.
- PostMapRequestHandler.
- AcquireRequestState. The state necessary for the request execution is retrieved. ASP.NET Session State and Profile modules obtain their data.
- PostAcquireRequestState.
- PreExecuteRequestHandler. Any tasks before the execution of the handler are performed.
- ExecuteRequestHandler. The request handler executes. ASPX pages, ASP pages, CGI programs, and static files are served.
- PostExecuteRequestHandler
- ReleaseRequestState. The request state changes are saved, and the state is cleaned up here. ASP.NET Session State and Profile modules use this stage for cleanup.
- PostReleaseRequestState.
- UpdateRequestCache. The response is stored in the cache for future use. The ASP.NET Output Cache and IIS Output Cache modules execute to save the response to their caches.
- PostUpdateRequestCache.
- LogRequest. This stage logs the results of the request, and is guaranteed to execute even if errors occur.
- PostLogRequest.
- EndRequest. This stage performs any final request cleanup, and is guaranteed to execute even if errors occur.
By using the familiar ASP.NET APIs, the ability to execute in the same stages as IIS modules makes tasks that were only previously accessible in native ISAPI filters and extensions now possible in managed code.
For example, you can now write modules that do the following:
- Intercept the request before any processing has taken place, for example rewriting URLs or performing security filtering.
- Replace built-in authentication modes.
- Modify the incoming request contents, such as request headers.
- Filter outgoing responses for all content types.
See Developing an IIS 7 and Above Module with .NET for a good example of how to extend IIS with a custom ASP.NET authentication module.
https://www.asp.net/media/4071077/aspnet-web-api-poster.pdf
