Allow any user to access 'signalr/hubs' without credentials, using cors (server runs windows authentication)

Question

I have two servers

SignalR host (windows authentication, IIS)
Rest of the web page host (forms authentication, IIS)

I have set it all up and it works with longpolling in Chrome. (1) asks for username and password when using Firefox and navigating to https://localhost:44301/signalr/hubs.

(1) uses windows authentication. I have tried to avoid authentication by doing the following in web.config:

<location path="signalr">
  <system.web>
     <authorization>
        <allow users="*" />
     </authorization>
  </system.web>
</location>

But SignalR is not a path, because this is generated automatically. I have also tried to do this to expose the hubs, to no avail:

<location path="~/Hubs">
  <system.web>
     <authorization>
        <allow users="*" />
     </authorization>
  </system.web>
</location>

Could anyone help me find a way to remove authentication from https://localhost:12321/signalr/* ? (this includes all signalr/negotiate calls ++ also)

score 2 · Answer 1 · answered Mar 30 '16 at 07:53

2

Try

<allow users="?"/>

as it allows anonymous, with asterix "*" you allow "All users".

answered Mar 30 '16 at 07:53

Froxer

124
1
3
12

I would certainly imagine that 'All users' also includes 'anonymous' users... however the problem is not ? or *, it's the fact that the 'location path' does not exists.. – Bjørn Mar 30 '16 at 08:14
The title said Remove Auth, quickest thing in my head was to just allow anonymous. – Froxer Mar 30 '16 at 09:00
@BjørnØyvindHalvorsen In short the answer is what i wrote as an answer to the original question :) Glad you got it sorted! – Froxer Apr 07 '16 at 22:57
The original question is not just the title... The originial question was the title and the body of the question. If you had read both you would have known that was just a change in permissions, rather a restricting factor. ? is more restrictive than *, and as such would not solve any problem of mine... – Bjørn Apr 08 '16 at 06:38
@BjørnØyvindHalvorsen Fair enough. Glad it is solved now :)! Hopefully it will be useful for someonne in the future. – Froxer Apr 08 '16 at 07:47

score 2 · Accepted Answer · edited May 23 '17 at 12:07

I solved this by changing the premises of the problem.

Now the whole server is accessible anonymously, but the paths that need windows authentication has so specified on themselves.

An example of how the controllers that needed safeguarding looks like:

<location path="#####.ashx">
<system.webServer>
  <security>
    <authentication>
      <anonymousAuthentication enabled="false"/>
      <windowsAuthentication enabled="true"/>
    </authentication>
    <authorization>
      <remove users="?" roles="" verbs="" />
      <add accessType="Deny" users="?" />
    </authorization>
  </security>
</system.webServer>
< /location>

And the general setting for the server:

  <system.webServer>
    <security>
      <authentication>
        <anonymousAuthentication enabled="true"/>
        <windowsAuthentication enabled="true"/>
      </authentication>
      <authorization>
        <add accessType="Allow" users="?" />
      </authorization>
      <requestFiltering>
        <!--Auction searches with 250 results generates slightly longer string than standard setting of 2048-->
        <requestLimits maxQueryString="3072" />
      </requestFiltering>
    </security>
  </system.webServer>

This might not be a viable solution for everyone, but it worked for me... :)

As a by-note: While working with this i also fought with IIS Express and being able to set windows authentication in web.config at all. This post helped me greatly -> IIS Express Windows Authentication

Allow any user to access 'signalr/hubs' without credentials, using cors (server runs windows authentication)

2 Answers2