I think I’ve found a solution, and I’d appreciate it if someone could take a look and comment, so I know if I’m on the right track.

After numerous changes, I realized that one of the bigger problems was that I wasn’t performing a Clean + Rebuild, so Visual Studio kept caching my modifications.

In the end, the solution came down to the following part of the web.config file:

<system.web>
  <authentication mode="Windows" />
  <compilation debug="true" targetFramework="4.5.2" />
  <httpRuntime targetFramework="4.5.2" />
  <httpModules>
    <add name="ApplicationInsightsWebTracking" type="Microsoft.ApplicationInsights.Web.ApplicationInsightsHttpModule, Microsoft.AI.Web" />
  </httpModules>
</system.web>

<!-- Set Windows Auth for api/auth/token endpoint -->
<location path="api/auth/token">
  <system.webServer>
    <security>
      <authentication>
        <anonymousAuthentication enabled="false" />
        <windowsAuthentication enabled="true" />
      </authentication>
    </security>
  </system.webServer>
</location>

<!-- For the rest of the app, allow anonymous auth -->
<system.webServer>
  <security>
    <authentication>
      <anonymousAuthentication enabled="true" />
      <windowsAuthentication enabled="false" />
    </authentication>
  </security>
</system.webServer>

Now, the first endpoint passes through Windows Authentication (receives the Authorization: Negotiate ... header), while the rest of the application is authorized through CustomAuthorization using JWT tokens.

Additionally, I had to configure the following in the applicationhost.config file:

<section name="anonymousAuthentication" overrideModeDefault="Allow" />
<section name="windowsAuthentication" overrideModeDefault="Allow" />

I would appreciate it if someone could review this and provide advice or recommendations on whether this setup is acceptable.

Thank you!