1

I have a Web Api 2 service and a javascript website. Both are hosted on an internal IIS server for internal customers. I need to be able to get the Windows User from the site to the service via Windows Authentication.

When I browse to the service metadata operation in Chrome (For example: http://theServer.domain.net/myController/metadata) I get the correct result along with the user information.

But when I try to load that data in my application I get the following error:

401.2 You are not authorized to view this page due to invalid authentication headers.

However, this only fails in Chrome. IE 11 loads it just fine.

This is what I have tried / have setup:

  • The most common fix for this is to make sure that you have Windows Authentication turned on for IIS. I have double checked that this is on. And that my IIS Web Site has both the windows authentication modules.

  • I am running both the app pools (one for the service and one for the site) as Application Pool Identity security. And I have made sure that the app pools have access to the files on the the disk. (Just to be sure, I even tried it with them setup to run as me.)

  • I have also setup my web site with <authentication mode="Windows" /> in the web.config.

  • My website is setup with both Windows and Anonymous Authentication. And my service is setup for only Windows Authentication.

  • On both server and website the Windows Authentication is setup so that the only provider is NTLM.

  • On both application pools I have turned on enable 32 bit applications.

Since none of this was working, I tried to fire up Fiddler to see if I could look at the headers and debug on a lower level. But once Fiddler was running, the problem went away! The error was gone and the server was getting the authentication correct! However, it only works while fiddler is running. (I tried reading Help! Running Fiddler fixes my App, but I could not see anything that would help.)

So, my question is, what do I need to do to get this working with Windows Authentication? (I need the user information.)

Vaccano
  • 78,325
  • 149
  • 468
  • 850
  • What do you mean by "a javascript website"? How is this configured? Since you retrieve the credentials correctly when you access the service URL directly, your problem is likely on the configuration of your website – GôTô Feb 09 '17 at 23:51
  • It is a SPA created using Aurelia and Typescript. – Vaccano Feb 10 '17 at 00:16
  • With no back end? – GôTô Feb 10 '17 at 00:27

1 Answers1

1

Windows authentication from the browser is only supported in IE.

from: https://technet.microsoft.com/en-us/library/cc754628(v=ws.10).aspx

Windows authentication, which includes both NTLM and Kerberos v5 authentication, is best suited for an intranet environment for the following reasons: Client computers and Web servers are in the same domain.

  • Administrators can make sure that every client browser is Internet Explorer 2.0 or later versions.

  • HTTP proxy connections, which are not supported by NTLM, are not required.

  • Kerberos v5 requires a connection to Active Directory, which is not feasible in an Internet environment.

regarding fiddler - do you have 'Automatically Authenticate' option turned on? https://stackoverflow.com/a/34851503/1165140

Community
  • 1
  • 1
Avner
  • 4,286
  • 2
  • 35
  • 42