I am attempting to create a local intranet IIS server which can deploy/update ClickOnce applications for users who are authorized to access them and block them from everyone else.
I have a working IIS server with Windows Authentication enabled (and Anonymous Authentication disabled), when a user accesses the url location it prompts them to sign in to a user account that exists on the IIS server with username and password. Once they've done so, they can download the ClickOnce setup.exe or MyClickOnceApp.Application file.
When installing however, this gives a 401 because the Windows Authentication credentials from the server is not being passed through to ClickOnce (I believe). It doesn't give a prompt to the user, it just fails.
Many other people seem to have this same problem (see a dump of the same error by a different user here), https://learn.microsoft.com/en-us/answers/questions/1237929/clickonce-deployment-with-windows-authentication-r with no available solutions (or explanations of why this is not possible offered).
https://www.pcreview.co.uk/threads/authenticated-access-to-clickonce-install.3200358/
According to Microsoft documentation, Windows Authentication should work (and is the only available option). Unfortunately it gives no indication on how ClickOnce is supposed to recieve the credentials the IIS server had you enter before downloading.
ClickOnce does not support ASP.NET forms-based authentication because it uses persistent cookies; these present a security risk because they reside in the browser cache and can be hacked. Therefore, if you're deploying ClickOnce applications, any authentication scenario besides Windows authentication is unsupported.
How can I get ClickOnce to either prompt for a second sign on or to use the credentials already entered?