ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,199 questions
ASP.NET Core 6 Server authorization - Having trouble with authorization
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 11%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDT%3C/text%3E%3C/svg%3E)
Dennis Tabako
36
Reputation points
Hi,
I have an ASP.NET Core 6 application that serves as both a server and a client (aggregates data from various machines and serves data to a client). It needs Windows authentication for certain functionality so I have set that up. It also uses SignalR for certain functionality. The problem I have is this: my application needs Windows Authentication set to true in launchsettings.json. If I set also Anonymous Authentication to true on the aggregating server, I can take calls from Postman and the application deployed to the aggregated machines. But then SignalR can't make the connection between the web client and the aggregating server (InvalidOperationException - No authentication scheme specified). If I set Anonymous Authentication to false, SignalR is happy but Postman and my aggregated-machine app get 401.2 (unauthorized) when trying to call into the aggregating server. Is there any way to resolve this so both can work?
Thanks,
Dennis
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 90%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZL%3C/text%3E%3C/svg%3E)
Zhi Lv - MSFT 32,016 Reputation points Microsoft Vendor2022-04-19T06:59:25.937+00:00 If I set Anonymous Authentication to false, SignalR is happy but Postman and my aggregated-machine app get 401.2 (unauthorized) when trying to call into the aggregating server.
When using Postman to send the request, have you ever added the signature?
You could refer the following articles, for the windows Authentication, when using postman to send the request, it needs to use the Postman NTLM authentication:
-
AgaveJoe 26,141 Reputation points2022-04-19T10:40:55.567+00:00 You are describing how every web application works. The browser (client) must follow the authentication/authorization scheme configured on the web server. The web server must follow the authentication/authorization scheme set on the application services/DB server.
You have not explained how the security is supposed to work which makes providing a solution rather difficult. A common scenario is the web applications are secured by an authentication cookie and web services are secured using OAuth/JWT. Database servers are secured by credentials.
Please read the Blazor security docs to find an authentication/authorization scheme that best fits your web application design.
ASP.NET Core Blazor authentication and authorization
The aggregate services should have documentation that explains how the security works. If you are the aggregate services owner then you need to tells us how the security works.
-
Dennis Tabako 36 Reputation points
2022-04-19T12:21:08.637+00:00 Yeah, I'm definitely not up to speed on the web security stuff. I'm going to have to take a step back and just learn this stuff properly. Sometimes I tend to get stuck on a detail and try to work through that without taking in the whole concept. Thanks for setting me on that path. And thanks to you both for the links provided. After I go through the process, I'll come back to this if I have better/more specific questions.
-
Zhi Lv - MSFT 32,016 Reputation points Microsoft Vendor
2022-04-29T01:32:04.207+00:00 Hi @Dennis Tabako ,
Any update about this problem? If you are using the OAuth/JWT authentication, when use Postman to send the request, it still need to add the token at the header or add the cookie (if you are using cookie to store the token). This is similar with using the Windows Authentication, in the Postman, you need to select the NTLM authentication and enter the username and password.
Sign in to comment