0

We have hosted a few Angular and .Net Services. In the same server, we have MSSQl configured. When all the service's app pools in IIS, MSSQL Services etc were assigned to the my id, appication was giving CORS failures and I disabled webDAV. After that we didn't face any such issues.

Later on we configured the same app with GMSA id, and the webDAV is still disabled. Now the CORS issue is occurring again. The .Net API calls through Swagger are working, the issue is only when I try to login through Angular.

Is there any issue with the connection string, below are a few types I tried.

  1. "Connection": "server=MyServer;database="MyDB";user id='MyDomain\m-MyGMSAID$'; Trust Server Certificate=True;Persist Security Info=True; Integrated Security=SSPI;
  2. "Connection": "server=MyServer;database="MyDB";user id='MyDomain\m-MyGMSAID'; Trust Server Certificate=True;Persist Security Info=True; Integrated Security=SSPI;

How to overcome CORS where as no other explicit CORS policies have been set, on AWS, App Codes or IIS.

Haris
  • 85
  • 2
  • 9
  • 1
    If you are using integrated security, you don't pass the user id. It's Integrated Security (Windows Authentication) *or* User Name & Password (SQL Authentication). For the above connection string, the `User Id` parameter will likely be completely ignored; it'll certainly have no effect on who's credentials are used. – Thom A Apr 28 '23 at 10:31
  • Hi @ThomA, So I simply configure my IIS and MSSQL services with GMSA and not explicitly mention any user in app config? – Haris Apr 28 '23 at 10:39
  • 1
    Hmm, isn't CORS just a web policy? It has nothing to do with how you connect to sql server "in the back". – siggemannen Apr 28 '23 at 13:10
  • This is a web-level problem, nothing to do with SQL connection strings. How are you configuring CORS policy in your authentication and data services? How are you configuring the `Content-Security-Policy` in the `src/index.html` file of your Angular apps? There seems to be some disagreement between your app(s) and service(s). – AlwaysLearning Apr 28 '23 at 13:45
  • I agree, but after reviewing the code and server configurations, nowhere have we disabled CORS. The same set of code works in a different setup without any issues, and in the current setup if I provide a normal user's id and password, it doesn't throw this error at all. – Haris Apr 30 '23 at 05:19
  • @ThomA you were absolutely right. Just removing the user name from the connection string did the trick. Now my string is like this - `"Connection": "server=MyServer;database="MyDB"; Trust Server Certificate=True;Persist Security Info=True; Integrated Security=SSPI;` – Haris May 02 '23 at 08:07
  • @ThomA Please put your comment as answer, I shall approve it. – Haris May 02 '23 at 08:09

1 Answers1

0

This worked for me, and the services are running without any issues almost a month now. "Connection": "server=MyServer;database=MyDB;Trust Server Certificate=True;Persist Security Info=True; Integrated Security=SSPI;"

Haris
  • 85
  • 2
  • 9