I have a Web API using oAuth2 that has a mixture of APIs that allow Anonymous and Secured calls. I've deployed the code to a separate server on my network and verified using RESTer (similar to POSTMAN) that the calls work. If I make the same calls from outside the network, only the calls that are set to use the ExternalBearer token fail. Anonymous calls succeed.
I checked out this solution which did not work for me. HTTP 403 Forbidden: Access is denied ASP.NET Web API
I've also ensured on the deployment server that the user account has access to the directory with Full Control.
My anonymous calls (beside the /token call) have the [AllowAnonymous] and [HttpPost] annotations. My secure calls have the [HostAuthentication(DefaultAuthenticationTypes.ExternalBearer)] and [HttpPost] annotations.
[Authorize]
[RoutePrefix("api/Lookups")]
public class MySettingsClass : ApiController
/* Constructor omitted for readability*/
[HostAuthentication(DefaultAuthenticationTypes.ExternalBearer)]
[HttpPost]
[Route("GetSettings")]
public Settings GetSettings(GetSettingsCommand command)
{
//Do something here
return settings;
}
At this point I suspect IIS isn't configured properly in some way or a firewall is doing something, but I'm not sure. I checked the IIS logs on the server and I can see the request coming in. Unfortunately the log says nothing more than it received the request. The log does give an sc-status of 401 for the request which is different than the 403 that is shown.
Actual 403 Error shown on the client side:
403 Forbidden ( The server denied the specified Uniform Resource Locator(URL). Contact the server administrator.)
Update: When I enable IIS Failed Request Tracing I get this warning in the log.
ModuleName="ManagedPipelineHandler", Notification="EXECUTE_REQUEST_HANDLER", HttpStatus="401", HttpReason="Unauthorized", HttpSubStatus="0", ErrorCode="The operation completed successfully.(0x0)", ConfigExceptionInfo=""
