4

I'm trying to setup a WebAPI web service and website that will operate on our company intranet. I'm using IIS to host the webservice (A) as well as my website (B). A page on my website makes a request to the web service thusly:

var URL = 'http://MachineName:80/AWebService/api/GetGuid';
var request = new XMLHttpRequest();
request.open("GET", URL, false);
request.withCredentials = "true";
request.send();
var response = request.responseText;
return response;

The WebService code looks like this:

[EnableCors(origins: "http://localhost", headers: "*", methods: "*")]
public class StoneSoupController : ApiController
{
    [ActionName("GetGuid")]
    public HttpResponseMessage GetGuid()
    {
        var indenty = this.User.Identity;
        Guid g = Guid.NewGuid();

        HttpResponseMessage msg = new HttpResponseMessage();
        msg.Content = new StringContent(g.ToString());
        msg.Headers.Add("Access-Control-Allow-Origin", "http://localhost"); //tried with and without this
        msg.Headers.Add("Access-Control-Allow-Credentials", "true"); //tried with and without this
        return msg;

    }
}

If I set the Authentication mode in IIS for the web service to Anonymous Authentication then the web service returns the guid string as expected. However I need to control which users are able to access certain methods on the webservice and want to use their windows credentials to do this.

My problem is that I can't seem to make Firefox send the windows credentials. I've tried including http://localhost in network.automatic-ntlm-auth.trusted-uris in about-config in Firefox, but that doesn't seem to have any effect.

I've enabled logging in IIS and this is what it records for the request

2013-08-01 21:36:05 136.203.40.232 GET /AWebService/api/GetGuid - 80 - 136.203.40.232 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:17.0)+Gecko/20100101+Firefox/17.0 200 0 0 965

As you can see there's no user id in the transaction.

Can anyone help me with this?

Noel
  • 10,152
  • 30
  • 45
  • 67
nickvans
  • 898
  • 13
  • 24

2 Answers2

1

browser will ask or automatically send user credentials when response header has

WWW-Authenticate NTLM

step 2:

you need to change authentication of your web api to windows and add authorize attribute to action or controller

Step 3: Firefox doesn't send credentials like IE sends. you need change firefox settings about:config set you application url to this variable network.automatic-ntlm-auth.trusted-uris

Giridhar Prakash Yellapu
  • 127
  • 5
  • Hi Giridhar, sorry it took so long for me to respond. Using HTTPfox I'm able to see that the Response Header "WWW-Authenticate" initially has the value "NegotiateNTLM". Firefox brings up a popup asking for username/password. When I type in the user/password it immediately pops up again which it will do forever. After the first request I see I have a Request Header of "Authorization" with a value of "NTLM TlRMTVNTUAAB..." and there is now a Response Header of "NTLM TIRMTVNTUAAC..." Any idea what I'm doing wrong? – nickvans Sep 24 '13 at 00:32
-1

In regards to your comment to Giridhar:
It might be that IIS does not have "HTTP keep-alive" enabled.

To enable HTTP Keep-Alives

  1. In IIS Manager, expand the local computer, expand the Web Sites folder, right-click the Web site, and click Properties.

  2. On the Web Site tab, in the Connections section, click the Enable HTTP Keep-Alives check box.

  3. Click Apply, and then click OK.

(From Microsoft)

Björn
  • 3,098
  • 2
  • 26
  • 40