Mvc: ASP.NET CORS Issue with Windows Auth using HTTP.SYS hosting

Created on 13 Oct 2017 · 7Comments · Source: aspnet/Mvc

Hi,

I am trying couple of scenarios here. Currently, I am running on HTTP.sys using Windows Auth. Angular 4 being the Frontend App having a different port say 4200. My ASP.NET Core App, I am running on port 7000, which is serving data to FE app. Obviously, this is classic example of CORS, which I have enabled via below settings.

services.AddCors(options =>
{
options.AddPolicy("CorsPolicy",
builder => builder.AllowAnyOrigin()
.AllowAnyMethod()
.AllowAnyHeader()
.AllowCredentials()
.SetPreflightMaxAge(TimeSpan.FromSeconds(2520))
.Build());
});

        services.AddMvc();

and then in Configure method

app.UseCors("CorsPolicy");
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller=Home}/{action=Index}/{id?}");
});

Then in controller saying
[Route("api/[controller]")]
[EnableCors("CorsPolicy")]

With that being said, this CORS policy go well with GET option only. In case of POST, PUT, it gets failed with preflight condition saying

"Failed to load http://localhost:7000/api/expense: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:4200' is therefore not allowed access. The response had HTTP status code 401." Is there anything missing here like any more setting is required or is this bug?

Thanks,
Rahul

Source

rahulsahay19

All 7 comments

Sounds like you have auth in front of your CORS middleware, so it ends up returning 401 before the preflight requests reaches the CORS middleware.

khellang on 13 Oct 2017

I guess, since this is related to Windows auth, you have to also enable anonymous auth (for preflight requests) and make sure you have a filter for MVC. See https://github.com/aspnet/CORS/issues/60

khellang on 13 Oct 2017

Yeah thanks. The problem with that approach is it always sends anonymous credentials. For GET operation, its fine. But for POST, I need username from the identity. I tried with simple [Authorize] attribute, it doesn't hit the method. Similarly, I tried setting up policy like

services.AddAuthorization(configure =>
{
configure.AddPolicy("PostMethods", policy =>
{
//Access to Admin,Manager,Finance
policy.RequireAuthenticatedUser();
});
});
and on method like [Authorize(Policy = "PostMethods")]

It doesn't hit the controller and gave error like

POST http://localhost:7000/api/expense 500 (Internal Server Error)

newexpense:1 Failed to load http://localhost:7000/api/expense: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. Origin 'http://localhost:4200' is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

Same problem with [Authorize] attribute also. Is there any other technique via windows auth can be used at controller level.

From Client, I am sending like

submitExpense(expense) {
const body = JSON.stringify(expense);
const headers = new Headers({ 'Content-Type': 'application/json' });
return this.http.post(this.originUrl + 'api/expense', body, { headers: headers,withCredentials:true })
//Once, we get the response back, it has to get mapped to json
.map(res => res.json());
}

Thanks,
Rahul

rahulsahay19 on 13 Oct 2017

Fixed that! Thanks, closing Issue

rahulsahay19 on 13 Oct 2017

👎4

How did you fix it?

I have the same problem, I am trying to impersonate (var user = User.Identity as WindowsIdentity;), but value is always null.

POST is allowed when I select both (anonymous and win auth), but there is no a user when both are selected, if I use only win auth, I get a valid user, but it only works for GET method.

Thanks