I would like to access listdata.svc (sharepoint service) located on domainA.contoso.com from a web application located on .B.contoso.com. Authentication seems like a problem.
When I try to access ListData.svc using a jQuery Ajax call with CORS enabled, the server returns 401. If I run the same request from the .htm page that I run from within SharePoint, the call works fine because the domain is the same.
SharePoint uses NTLM with anonymous authentication disabled - I believe 401 is the result of Windows credentials not being sent to the SharePoint server, but I donโt understand how to correctly add these credentials to the header. I installed xhrFields: {withCredentials: true}, but this does not seem to fix the authentication problem.
To enable CORS, I set the following HTTP response headers in SharePoint in IIS:
- Access-Control-Allow-Credentials: true
- Access-Control-Allow-Headers: Origin, Content-Type, Accept
- Access-Control-Allow-Origin: *
- Access-Control-Request-Methods: POST, GET, HEAD, OPTIONS
Windows authentication is included in IIS for my web application, and I did not set the HTTP OPTIONSVerbHandler HTTP handler in IIS. The appeal to reading does not seem to matter.
Calling jQuery Ajax (from an application on subdomainB.contoso.com):
$.ajax({ type: "GET", contentType: "application/json; charset=utf-8", url: listUrl, xhrFields: { withCredentials: true }, crossDomain:true, processData: false, async: true, dataType: "json", converters: { // WCF Data Service .NET 3.5 incorrectly escapes singles quotes, which is clearly // not required (and incorrect) in JSON specs. // http://bugs.jquery.com/ticket/8320?cversion=0&cnum_hist=1 "text json": function (textValue) { return jQuery.parseJSON(textValue.replace(/(^|[^\\])\\'/g, "$1'")); } }, success: function (data, status, xhr) { //successFunc(data.d.results); alert("working!"); }, error: function (xhr, status, error) { alert("failure!"); } });
HTTP header and response 401:
Key Value Request OPTIONS /_vti_bin/ListData.svc/Contacts HTTP/1.1 Accept */* Origin http://domainB.contoso.com Access-Control-Request-Method GET Access-Control-Request-Headers content-type, accept Accept-Encoding gzip, deflate User-Agent Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) Host domainA.contoso.com Content-Length 0 DNT 1 Connection Keep-Alive Cache-Control no-cache Key Value Response HTTP/1.1 401 Unauthorized Server Microsoft-IIS/7.5 SPRequestGuid 1e33061c-f555-451b-9d69-0d83eff5f5ea WWW-Authenticate NTLM X-Powered-By ASP.NET MicrosoftSharePointTeamServices 14.0.0.4762 Access-Control-Allow-Headers Origin, Content-Type, Accept Access-Control-Allow-Origin * Access-Control-Request-Methods POST, GET, HEAD, OPTIONS Access-Control-Allow-Credentials true Date Wed, 15 May 2013 15:04:51 GMT Content-Length 0