Oidc-client-js: oidc client - Windows Auth

Created on 5 Oct 2017  路  8Comments  路  Source: IdentityModel/oidc-client-js

Hi,

I am working on a solution using IdentityServer4 in a windows environment. I would like to automatically log windows users on if windows credentials are available. I have a solution set up with an ng4 client which is very similar to the quickstarts: 7_JavaScriptClient sample.

It all works fine with normal/test logins, but when I enable windows Auth in IIS Express (I have tried with both https and http) chrome does not pass the windows credentials through. In the ng world I would normally add the withcredentials flag to the XhrHttpRequest, but looking at the source code this does not seem to be done in the oidc-client library.

I have looked into setting the angular app as a trusted intranet site, but this option is locked down on my corporate network. Note that IE prompts for windows credentials then works. I would like these credentials to be passed through silently if at all possible.

I wonder if an option can be added to add the withCredentials flag to the _XMLHttpRequest object in the jsonservice??

Any suggestions?

Many thanks,

Richard

picture rpenrose

Most helpful comment

Enable both Windows and anonymous on IIS for Identity server as it needs to pass windows credentials to authenticate, but not when your api connects to IdentityServer for token validation.

You will also need to remove "Negotiate" from the windows auth providers in IIS, just leave NTLM, see: https://support.citrix.com/article/CTX221693

picture rpenrose on 24 Jan 2019
👍3

All 8 comments

Apologies, just me being a muppet. Didn't completey understand that this bit is handled outside Js with a page redirect...

rpenrose picture rpenrose on 6 Oct 2017

Hey, @rpenrose . How did you resolve this? I am trying to get the JavaScriptClient sample working with Windows Auth as well. Where does the withCredentials flag need to be set?

collinbarrett picture collinbarrett on 24 Jan 2019

You need to instruct the browser to send the windows credentials to IdentityServer when the oidc-client does the redirect. Note this is not an oidc-client thing it is a browser thing and needs to be set up in the Internet Options for Chrome (or other browser).

To do this you need to add you site to the list of intranet sites and instruct it to automatically send windows credentials to intranet sites. You can do this with the group policy editor on your machine, see: http://www.grouppolicy.biz/2010/03/how-to-use-group-policy-to-configure-internet-explorer-security-zone-sites/

Then configure group policy to automatically send windows credentials to intranet sites: https://docs.microsoft.com/en-us/previous-versions/office/communications-server/dd572939(v=office.13)

Note that Chrome uses the same settings as IE for this kind of stuff.

If you need to do this across the domain, you can configure a domain level policy (I think) to role this out to all machines in the domain.

Hope that this helps!

rpenrose picture rpenrose on 24 Jan 2019
👍1

Oof. Wow, that's kind of annoying. Thanks for your detailed and prompt response. Super helpful. Will look into that.

collinbarrett picture collinbarrett on 24 Jan 2019

So, just to clarify, to your knowledge, the only way to enable a JS/SPA client to talk to IdentityServer4 with Windows Authentication is to do the domain/browser configuration you described above and enable Windows Authentication (but not Anonymous Authentication) in IIS for the IdentityServer4 instance?

collinbarrett picture collinbarrett on 24 Jan 2019

Enable both Windows and anonymous on IIS for Identity server as it needs to pass windows credentials to authenticate, but not when your api connects to IdentityServer for token validation.

You will also need to remove "Negotiate" from the windows auth providers in IIS, just leave NTLM, see: https://support.citrix.com/article/CTX221693

rpenrose picture rpenrose on 24 Jan 2019
👍3

Hmm, whenever I enable Anonymous Authentication, IdentityServer4 fails to logon with Windows Authentication. If I disable Anonymous, the Windows Authentication works, but I still get the 401 CORS issues in Chrome (all works dandy in IE with Anonymous disabled)... Still experimenting.

collinbarrett picture collinbarrett on 24 Jan 2019

I am not running ID server at the moment on my current project, so can't check. Maybe you do need to disable anonyomous. If that works, then that should be fine.

You definitely need anonymous on your api as all auth is done through the JWT.

Apologies if I was wrong about IIS windows auth for ID Server, I am working from memory.

rpenrose picture rpenrose on 24 Jan 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

dotli picture dotli  路  3Comments
iXmonvi33 picture iXmonvi33  路  4Comments
slug56 picture slug56  路  4Comments
bialabs picture bialabs  路  3Comments
rmja picture rmja  路  3Comments