This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 31%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Hello,
I have got a problem with the WIA authentication endpoint on ADFS in Windows Server 2019 in combination with a CORS preflight request:
If a client session of a web application expires and the user then clicks on some link in a page, client Javascript produces an XHR request and server responds with redirection to ADFS server to WS-Federation authentication endpoint (/adfs/ls). Client sends CORS preflight request (OPTIONS), to which the server successfully responds, and the next subsequent GET request is responded with redirection to Windows Integrated Authentication (WIA) endpoint (/adfs/ls/wia). The client then sends CORS preflight request (OPTIONS) to this endpoint as well, but server responds with 401 Unauthorized HTTP status code without necessary CORS headers. The next GET XHR request is blocked by web browser because the previous preflight request failed.
Below is a slightly generalized log of the communication.
I think the /adfs/ls/wia endpoint should respond to the CORS preflight request with an HTTP 200 OK status code and CORS response headers. Then the following GET request will not be blocked by the web browser and should be responded by HTTP 401 Unauthorized status code.
Similar behavior is also found in other commonly used web browsers (Edge, Chrome).
I tried to find some configuration solution, but to no success. CORS is configured correctly in the ADFS server (CORSEnabled and CORSTrustedOrigins properties) and I could not find any other configuration, i. e. for WIA authentication endpoint.
Could anyone advise how to get the adfs/ls/wia endpoint to process the CORS preflight request correctly, or is this a bug in the ADFS server implementation?
Thank you very much for any advice.
Communication log:
POST /iportal/exec/dashboard HTTP/1.1
Host: appserver.somedomain.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: */*
Accept-Language: cs,sk;q=0.8,en-US;q=0.6,en-GB;q=0.4,en;q=0.2
Accept-Encoding: gzip, deflate, br
Referer: https://appserver.somedomain.com/iportal/dashboard-procHistory
Content-Type: application/json
Origin: https://appserver.somedomain.com
Content-Length: 77695
Connection: keep-alive
Cookie: CID=AgAAAGHtQYyYOLLYcYfbBOwcSI0=; WBSID=5832b34f4e02f00f;
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache
HTTP/1.1 302 Found
Date: Tue, 28 Dec 2021 12:10:06 GMT
Location: https://adfs.somedomain.com/adfs/ls/?wa=wsignin1.0&wtrealm=https%3A%2F%2Fappserver.somedomain.com%2F&wctx=ru%3Dhttps%253A%252F%252Fappserver.somedomain.com%252Fiportal%252Fexec%252Fdashboard&wct=2021-12-28T13%3A10%3A06Z
Content-Length: 0
OPTIONS /adfs/ls/?wa=wsignin1.0&wtrealm=https%3A%2F%2Fappserver.somedomain.com%2F&wctx=ru%3Dhttps%253A%252F%252Fappserver.somedomain.com%252Fiportal%252Fexec%252Fdashboard&wct=2021-12-28T13%3A10%3A06Z HTTP/1.1
Host: adfs.somedomain.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: */*
Accept-Language: cs,sk;q=0.8,en-US;q=0.6,en-GB;q=0.4,en;q=0.2
Accept-Encoding: gzip, deflate, br
Access-Control-Request-Method: GET
Referer: https://appserver.somedomain.com/
Origin: https://appserver.somedomain.com
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
HTTP/1.1 200 OK
Allow: OPTIONS, GET, HEAD, POST
Content-Length: 0
Content-Type: text/html; charset=utf-8
Vary: Origin
Server: Microsoft-HTTPAPI/2.0
Strict-Transport-Security: max-age = 31536000
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:;
Access-Control-Allow-Origin: https://appserver.somedomain.com
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: CONNECT, DELETE, GET, MERGE, OPTIONS, POST, PUT, PATCH, TRACE
Access-Control-Max-Age: 86400
Date: Tue, 28 Dec 2021 12:10:07 GMT
GET /adfs/ls/?wa=wsignin1.0&wtrealm=https%3A%2F%2Fappserver.somedomain.com%2F&wctx=ru%3Dhttps%253A%252F%252Fappserver.somedomain.com%252Fiportal%252Fexec%252Fdashboard&wct=2021-12-28T13%3A10%3A06Z HTTP/1.1
Host: adfs.somedomain.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: */*
Accept-Language: cs,sk;q=0.8,en-US;q=0.6,en-GB;q=0.4,en;q=0.2
Accept-Encoding: gzip, deflate, br
Origin: https://appserver.somedomain.com
Referer: https://appserver.somedomain.com/
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
HTTP/1.1 302 Found
Content-Length: 0
Content-Type: text/html; charset=utf-8
Location: https://adfs.somedomain.com:443/adfs/ls/wia?wa=wsignin1.0&wtrealm=https%3A%2F%2Fappserver.somedomain.com%2F&wctx=ru%3Dhttps%253A%252F%252Fappserver.somedomain.com%252Fiportal%252Fexec%252Fdashboard&wct=2021-12-28T13%3A10%3A06Z&client-request-id=b3a8414e-1afc-4be7-a200-0080000000c1
Vary: Origin
Server: Microsoft-HTTPAPI/2.0
Strict-Transport-Security: max-age = 31536000
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:;
Access-Control-Allow-Origin: https://appserver.somedomain.com
Access-Control-Allow-Credentials: true
Date: Tue, 28 Dec 2021 12:10:07 GMT
OPTIONS /adfs/ls/wia?wa=wsignin1.0&wtrealm=https%3A%2F%2Fappserver.somedomain.com%2F&wctx=ru%3Dhttps%253A%252F%252Fappserver.somedomain.com%252Fiportal%252Fexec%252Fdashboard&wct=2021-12-28T13%3A10%3A06Z&client-request-id=b3a8414e-1afc-4be7-a200-0080000000c1 HTTP/1.1
Host: adfs.somedomain.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: */*
Accept-Language: cs,sk;q=0.8,en-US;q=0.6,en-GB;q=0.4,en;q=0.2
Accept-Encoding: gzip, deflate, br
Access-Control-Request-Method: GET
Access-Control-Request-Headers: content-type
Referer: https://appserver.somedomain.com/
Origin: https://appserver.somedomain.com
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
HTTP/1.1 401 Unauthorized
Content-Length: 0
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
Date: Tue, 28 Dec 2021 12:10:07 GMT
(Firefox network debugger reports error "CORS Missing Allow Origin")
GET /adfs/ls/wia?wa=wsignin1.0&wtrealm=https%3A%2F%2Fappserver.somedomain.com%2F&wctx=ru%3Dhttps%253A%252F%252Fappserver.somedomain.com%252Fiportal%252Fexec%252Fdashboard&wct=2021-12-28T13%3A10%3A06Z&client-request-id=b3a8414e-1afc-4be7-a200-0080000000c1 undefined
Host: adfs.somedomain.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: */*
Accept-Language: cs,sk;q=0.8,en-US;q=0.6,en-GB;q=0.4,en;q=0.2
Accept-Encoding: gzip, deflate, br
Origin: https://appserver.somedomain.com
Referer: https://appserver.somedomain.com/
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
(Request not sent to server, Firefox network debugger reports error "NS_ERROR_DOM_BAD_URI")
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 68%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMK%3C/text%3E%3C/svg%3E)
Hi, did you manage to find a solution?
I got official microsoft support on this issue and an engineer told me that these WIA endpoint don't offer CORS headers and will never do. They are not willing to change this. We are struggling already for a few months now to get this to work without any succes.
Please let me know if you have anything that works.
Regards,
Marc
Hello, we have not received any satisfactory solution from MS support either. The answer is "This is by design".
I quote a brief conclusion from a communication with MS support:
"Unfortunately, CORS doesn't support ADFS WIA endpoint. Basically, CORS is non-interactive, and it will block under WIA authentication. As informed earlier, we need to do a front-end authentication interactive i.e., passive redirect and after that we can use CORS call to request the application over API's. If you need to do authentication through ADFS, It should be interactive but not through CORS. This is by design."
More detailed quotes from earlier communication:
"- CORS on WIA in ADFS will not provide headers which is by design. For CORS to work, the application should authenticate and provide session tokens before making CORS to API's to be protected in ADFS.
Of course, we already knew this recommended "solution" before we contacted MS support, hoping that they would be able to advise us how to achieve CORS functionality for the non-interactive mode on the adfs/ls/wia endpoint, or at least promise the functionality. But after long conversations via Teams and a thorough logging of HTTP traffic between the client, our application and the ADFS server, it ended with the above conclusion. Of course, we have no choice but to make our own implementation that will monitor the validity of the session on the client side and possibly react appropriately to session termination or authentication errors, but this is an unnecessarily laborious functionality that needs to be implemented by anyone who needs to work with ADFS like we do.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 54%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKM%3C/text%3E%3C/svg%3E)
Thanks SH. Sorry for my late response. I was not notified.
In the end we also build our own refresh mechanism in the frontend. Its a shame that Microsoft is not willing to help in this. One more reason to ditch this product.
Thanks for all the replies!