IIS CORS Module configuration with Windows Credentials

Charlotte McClellan 20 Reputation points
2024-03-22T19:23:40.2766667+00:00

Hi,

Does anyone have a Windows .Net Core API being accessed via Windows Authentication?

I have not been able to get this to work.

I have an .Net Core API hosted on my Windows 2022 server in IIS with Windows Authentication enabled. We have a on-premise Active Directory 2019 server doing the authentication.

If I go to the API URL in a browser, the Windows authentication window pops up, I enter my credentials, and I get the appropriate JSON data back.

I am now trying to access the API via a JavaScript fetch call from a page in our Intranet that also uses Windows Authentication (same server, different web site, same domain).

The fetch call listed below triggers a CORS preflight options request and response which succeeds.

fetch( user_url, {
        method: 'GET',
        mode: 'cors',
        credentials: 'include',
        dataType: 'json',
        
        headers: {
            'Content-Type': 'application/json',
            'Authorization': 'Negotiate',
            'Access-Control-Request-Method': 'GET',
            'Access-Control-Request-Headers': 'Content-Type, Authorization, WWW-Authenticate, additional-header',
        },
        
    } ) 
   

However the GET for the fetch fails with a "CORS Missing Allow Origin" error even though the pre-flight OPTIONS request succeeds and has the correct "access-control-allow-origin" header in it.

The API site has the IIS CORS Module enabled with an add origin with the URL of the server hosting the page doing the request and the Allowed Credentials="true" option set. The remaining options are set as in the documentation.

CORS settings in web.config for API site

<add origin="https://intranet.domaon" allowCredentials="true" maxAge="120" >

   <add origin="https://intranet.domain" allowCredentials="true" maxAge="120" >		  
          <allowHeaders allowAllRequestedHeaders="true">
			  <add header="header1"  />
			  <add header="header2"  />
		  </allowHeaders>
		  <allowMethods>
			  <add method="GET" />
		  </allowMethods>
		  <exposeHeaders>
			  <add header="header1" />
			  <add header="header2" />
		  </exposeHeaders>
	</add>
```It seems to me that if the pre-flight OPTIONS request should work, the GET should work.

Has anyone gotten this scenario to work? 

Thanks,

Charlotte
Internet Information Services
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,075 questions
ASP.NET API
ASP.NET API
ASP.NET: A set of technologies in the .NET Framework for building web applications and XML web services.API: A software intermediary that allows two applications to interact with each other.
336 questions
{count} votes

Accepted answer
  1. Bruce (SqlWork.com) 65,231 Reputation points
    2024-03-31T16:14:48.13+00:00

    Windows authentication is an out of band negotiation. There is no token. A new one is generated on each connection. This supported by the browser. Generally the browser will remember the user/password and reuse on new connections to the same site. If you need CORS then the api is treated as a different site and you need to authenticate once for the site. The browsers handles this.

    if you don’t want to login to the site and api, have the main site proxy to the api site. If the api site needs the users id, the proxy code will need to impersonate the user before calling the api. This will work if on the same server. Otherwise you will need to switch to Kerberos and enable delegation.

    note: IIS handles the Windows authentication, the core module just passes it to the asp.net app.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.