0

I tries to call an IIS hosted Net CORE REST API from my (first) angular project. I hosted the angular on my local IIS and successfully set up (the angular web) to accept Windows Authenticated user only. When I load the angular web index.html the browser asks my credentials.

Inside my angular component I tried to execute a http delete operation (to delete an item from something), which (on the other side) checks if the caller has permission, so tries to get the caller AD identity.

I tried the followings:

constructor(private http: HttpClient) {}

onClick() {
  < some preparation here, construct parms as HttpParams(), etc ... >
  this.http.delete<ApiHttpRawResponse>(finalUrl, 
    { headers: new HttpHeaders({ 'Content-Type': 'application/json' }), 
      responseType: 'json', 
      params: parms, 
      withCredentials: true 
   } )
}

It returns with 'has no idea how you are' error. After several hours I tried to call it using fetch:

fetch(finalUrl, {
  method: 'DELETE',
  credentials: 'include',
  headers: {
    'Content-Type': 'application/json',
    'Authorization': 'Negotiate'
  }
})

Both fails. Debugging on the Net CORE REST API side I see that the Http Context knows nothing about the caller:

public WebLocatingService(IHttpContextAccessor httpContextAccessor)
{
    var ctx = httpContextAccessor.HttpContext;
    var identityName = ctx?.User?.Identity?.Name;
    < here I see identityName is null :( >

The angular project on IIS has the following web.config:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.web>
    <authentication mode="Windows" />
    <authorization>
      <deny users="?" />
    </authorization>
  </system.web>
</configuration>

Since I do everything suggested on different angular blogs, document sites, etc ... still don't know where to find my mistake. I added the fetch call to check if my poor angular knowledge is the reason - but fetch also won't work. But from a console net core tool I can call the rest api with success, so I clearly has no idea what to do next.

Please, anyone has any idea how to solve the authentication problem?

---- ADDITIONAL INFO ---- (at the end) ---

  • enabling Anonymus on IIS seems resolving the CORS preflight problem, but wont force the JS side to send the auth data
  • disabling anonymus on IIS side + install CORS module is the way to solve the problems (not on IIS Express but on IIS)
  • HttpClient works well (with withCredentials: true ) - no doubt, even when the angular project is hosted by "ng server"
  • for some reasons fetch is a though guy in this case
Zoltan Hernyak
  • 989
  • 1
  • 14
  • 35
  • Please learn from IIS log files if you hit 401 on CORS preflight requests (HTTP verb OPTIONS), and then you need IIS CORS module to skip Windows authentication on those. BTW, try your best to move away from Windows authentication if you can. – Lex Li Feb 28 '23 at 08:39
  • CORS preflight is ok. The real call misses the auth tokens. Anyway - I cant move away from WIN AUTH as my company uses it. That is the way! – Zoltan Hernyak Feb 28 '23 at 09:25
  • The call pass through CORS, arrives to the REST API method - I was able to debug the call in Net CORE application and see that the identity information is missing! – Zoltan Hernyak Feb 28 '23 at 09:27
  • 1
    could you please enable anonymous authentication and windows authentication from iis site authentication feature. – Jalpa Panchal Feb 28 '23 at 10:16
  • Which IIS side? On REST API IIS? Windows + Anonymus is enabled (because of CORS). Might be the problem that Anonymus is enabled, so the Angular wont send the AUTH info?? – Zoltan Hernyak Feb 28 '23 at 11:47
  • When I disable the anonymus for the REST API IIS - the CORS preflight fails! :( – Zoltan Hernyak Feb 28 '23 at 11:52
  • 1
    could you try install iis cors to resolve the CORS preflight failing issue – Jalpa Panchal Feb 28 '23 at 12:27
  • I was able to get it work with the following configuration: both application (rest api + angularjs) is hosted on the very same IIS. I think it is because I wasnt able to get CORS module works on IIS, but when both are on the same IIS (has the same https://localhost prefix) CORS is not needed. Now I now that the problem is not with the code, but configuration settings. As I am not a it support guy - I am not familiar with the IIS and CORS and other magics. – Zoltan Hernyak Feb 28 '23 at 16:24
  • I wonder if hosting the angularJs with "ng server" - is it possible to get this case work? I mean is it possible to get the Angular app to access rest api with my identity? As I see now if hosting with "ng serve" the preflight request is success, but the real rest api call is rejected (and cant see the DELETE call on IIS log for some reason)... – Zoltan Hernyak Feb 28 '23 at 16:36
  • At the end I have a working REST API with CORS hosted on IIS, and a working Angular project hosted on "ng serve". What is still wont work: hosting the REST API on IIS Express. The web.config file including the section makes the IIS Express total crazy! :( – Zoltan Hernyak Feb 28 '23 at 19:27
  • what is your current web.config setting for the cors and what issue you are facing could you please help elaborate – Jalpa Panchal Mar 01 '23 at 06:07
  • what is your iis site bindings for both of the site – Jalpa Panchal Mar 01 '23 at 06:16
  • I asked here in a different question, as I think it is more of IT support problem - in which I am not familiar with. You can find my question here: https://stackoverflow.com/questions/75596590/iis-vs-iis-express-cors-module-wont-work/75598547#75598547 – Zoltan Hernyak Mar 01 '23 at 06:16

0 Answers0