All geek questions in one place

Invalid request returned only with IE 11 on the remote computer for XHR that passes credentials

I tried to figure out what part I was missing when creating XHR for the MS Web API, which requires Windows auth.

This request works locally in both Chrome and IE 11, as well as in Chrome on a remote field (and not on the server). The problem is in IE 11 on the remote box.

According to dev tools IE makes 3 requests. The first two requests pass the Authorization Header: Negotiate and return 401s (preflights for CORS?). However, the third returns 400. It seems that it cannot authenticate as I don’t understand, especially since other browsers and local tests work.

The API is a standalone OWIN console application. Here's the launch:

public void Configuration(IAppBuilder appBuilder) { appBuilder.UseCors(CorsOptions.AllowAll); var listener = (HttpListener)appBuilder.Properties["System.Net.HttpListener"]; if (listener != null) { listener.AuthenticationSchemeSelectorDelegate = request => { if (string.Compare(request.HttpMethod, "OPTIONS", StringComparison.OrdinalIgnoreCase) == 0) { return AuthenticationSchemes.Anonymous; } else { return AuthenticationSchemes.IntegratedWindowsAuthentication; } }; } var config = new HttpConfiguration(); config.Routes.MapHttpRoute("DefaultApi", "api/{controller}/{action}/{id}", new { id = RouteParameter.Optional }); appBuilder.UseWebApi(config); }

Here's the client XHR call:

 var request = new XMLHttpRequest(); request.open('GET', 'http://xxxx:9000/api/test/something', true); request.timeout = 10000; request.withCredentials = true; request.onload = function() { if (request.status >= 200 && request.status < 400) { console.log('done'); } else { console.error('error'); } }; request.onerror = function() { // There was a connection error of some sort }; request.send();

And the API controller:

 [Authorize] [RoutePrefix("api/test")] public class TestController : ApiController { [HttpGet] [ActionName("something")] public IHttpActionResult Something() { return Ok(); } }

2 Requests return 401 and one that returns 400:

 First 401: Request URL: http://xxxx:9000/xxxx Request Method: GET Status Code: 401 / Unauthorized Request Headers Accept: */* Accept-Encoding: gzip, deflate Accept-Language: en-US Authorization: Negotiate [token] Connection: Keep-Alive Host: xxxx:9000 Referer: http://xxxx/xxxx.html User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3) Response Headers Content-Length: 0 Date: Fri, 22 Dec 2017 14:03:09 GMT Server: Microsoft-HTTPAPI/2.0 WWW-Authenticate: Negotiate [token] ------------- Second 401 Request URL: http://xxxx:9000/xxxx Request Method: GET Status Code: 401 / Unauthorized Request Headers Accept: */* Accept-Encoding: gzip, deflate Accept-Language: en-US Authorization: Negotiate [token] Connection: Keep-Alive Host: xxxx:9000 Referer: http://xxxx/xxxx.html User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3) Response Headers Content-Length: 0 Date: Fri, 22 Dec 2017 14:03:09 GMT Server: Microsoft-HTTPAPI/2.0 WWW-Authenticate: Negotiate [token] ----------- 400 Request URL: http://xxxx:9000/xxxx Request Method: GET Status Code: 400 / Bad Request Request Headers Accept: */* Accept-Encoding: gzip, deflate Accept-Language: en-US Authorization: Negotiate [token] Connection: Keep-Alive Host: xxxx:9000 Referer: http://xxxx/xxxx.html User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3) Response Headers Content-Length: 0 Date: Fri, 22 Dec 2017 14:03:12 GMT Server: Microsoft-HTTPAPI/2.0
+5
source share
2 answers

Reliable site

I assume that the remote machine is limited to domain policies and your site is not considered to be a reliable site on this machine.

Add (or ask to add, if the policies are set by IT) on your website the appropriate security zone (local intranet or trusted sites), and the problem should be fixed.

Document mode

While you're on it, see if they are pushing any old document mode for IE11 to run).

Enable CORS for WebAPI

I see that you are already calling UseCors in the OWIN IAppBuilder , but you can also try to enable CORS in the HttpConfiguration instance:

 config.EnableCors(new EnableCorsAttribute("*", "*", "GET, POST, OPTIONS, PUT, DELETE"));
+1
source

I did the following to pass the HttpOnly cookie / token using XHR:

  • Use axioms or a similar library on the client and use a configuration containing withCredentials:

      import axios from 'axios'; const config = { method: 'get', url: 'http://xxxx:9000/api/test/something', timeout: 5000, withCredentials: true }; //if (setCookie === true) { //config.mode = 'no-cors'; // <= THIS IS IMPORTANT IF SETTING COOKIE! //} const response = await axios(config);

  • On the server, set the cors options:

     const corsOptions = { origin: 'http://xxxx:9000', // Set explicit origin! methods: ['GET', 'POST', 'PUT', 'DELETE'], // Allow method(s)! credentials: true //enable server to see credentials. };

source: xhr.spec.whatwg.org

I hope this works for you too, it took a while before it worked. If this fails, window.postMessage a long snapshot may work. Finally, if you use windows, it is also possible that this is a local problem:

Regardless of the security zone of your website (Internet Options> Security), make sure that you include the following settings in your zone: Miscellaneous> Access to data sources by domain.

+1
source

Source: https://habr.com/ru/post/1274208/

More articles:


All Articles