I have two projects; one is an MVC project using angular (so it's not a real MVC), and the other is a WebAPI2 project with various controllers that feed data and receive data from the first project.
The first project uses angular $ http to request the WebAPI service:
var request = $http({ method: "GET", url: "http://localhost:1234/api/Entity/", json: true, crossDomain: true, datatype: 'json', params: { action: "get" }, withCredentials: true });
When this is done in IE10, the data is returned without any problems. However, doing this in Chrome or Firefox results in error 401. I used Fiddler to examine the difference between requests and narrowed it down to the Authorization header. The IE request is as follows:
GET http://localhost:1234/api/Entity?action=get HTTP/1.1 Referer: http://localhost:1234/Home Accept: application/json, text/plain, */* Accept-Language: en-GB Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) Connection: Keep-Alive DNT: 1 Authorization: Negotiate oXcwdaADCgEBoloEWE5UTE1TU1AAAwAAAAAAAABYAAAAAAAAAFgAAAAAAAAAWAAAAAAAAABYAAAAAAAAAFgAAAAAAAAAWAAAABXCiOIGAbEdAAAAD+mN4751DVFNv2xW6c59dCajEgQQAQAAAPUXp1AtIpqEAAAAAA== Host: localhost:58843
From what I can compile, the token format indicates that it uses NTLM protection. Is there something I can do to pass this authorization header that will be sent via the $ http request?
I do not see that there is any security specified in the WebAPI service (I inherited this project in the last couple of days, so I am not familiar with it yet); is the authorization header sent because it is a CORS request?
I am currently going to move WebAPI controllers to the first project to avoid cross domain calls; maybe this is the best thing to do, given that this REST service will only be called by the MVC project?
Any help would be greatly appreciated!