Cross domain issues while accessing ASP.NET Web API Restful services:

1
votes

Situation is as per below:

  1. Services are hosted at suppose example_services.com. These services are ASP.NET Web API Restful services. Windows authentication(NTLM) is enabled on this.

  2. Client is hosted at suppose example_client.com. This is in MVC ASP.NET. Windows authentication(NTLM) is enabled on this. ASP.NET impersonation is also enabled on this.

Now client wants to access all services offered by example_services.com by Windows Authentication. Hence here both are hosted on different domains(cross domain).

Windows authentication is working properly on client side, but we are getting 401(Access Denied Error) while accessing services from example_services.com in example_client.com.

So I have following questions:

  1. How to pass credentials of an "logged on users" to service.
  2. Is it possible to bypass "windows authentication windows pop" every time client tries to access any services.
2
asp.net-mvcasp.net-web-apicross-domainwindows-authenticationimpersonation

2 Answers

4
votes

First of all you need to enable Cross-Origin Requests in your Web API. Follow the instruction from following link Enabling Cross-Origin Requests

Then you have to pass credentials while making any request to your web API from your client. See the information for passing credentials from following link Passing Credentials in Cross-Origin Requests

Hope this helps.

Regards Arkadas

3
votes

Now client wants to access all services offered by example_services.com by Windows Authentication. Hence here both are hosted on different domains(cross domain).

First, you are going to need to enable Cross Origin Resource Sharing. If you are unfamiliar with this concept, I refer you to RFC6454

Enabling CORS in WebAPI is really, really easy (it is in most web frameworks, actually). You're going to want to reference System.Web.Cors in your WebAPI Project. Then, to enable controller-based sharing, decorate your ApiController with the following attribute

using System.Web.Http;
namespace Example.WebAPI.Controllers
{
    [EnableCors(origins:"example_client.com", headers:"*",methods:"*",SupportsCredentials=true)]
    public class ExampleController : ApiController
    {
       //The kickers in that attribute are the "origins" and "SupportsCredentials"
       //Note that SupportsCredentials is not supported with wildcard origins
    }
}

What this does is set the [Access-Control-Allow-Origin] response header based on a valid [Origin] request header being set. Doing this should open up your WebAPI to your calling client.

As you might imagine, the "methods" property of the attribute allows you to lock down specific HttpVerbs to access.

How to pass credentials of an "logged on users" to service.

There is also a "SupportsCredentials" property on that attribute that would allow you to pass credentials with a request.

If you're trying to use NTLM Authentication, setting the "SupportsCredentials" property of the EnableCors attribute to true. This will enable the Access-Control-Allow-Credentials HTTPHeader. Your credentials will not be sent down automagically, but you can send credentials by setting withCredentials: true on your XHR.

If your client is comfortable with basic auth, you should be able to do that in this way:

$.ajax({
   url: url,
   data: {},
   username: "corp.domain\corp.username"
   password: "69iNgCh1pmunk5"
   xhrFields: {
      withCredentials: true
   }
});

CORS and Windows Authentication

More About Origin, Access-Control-Allow-Origin, and CORS

Enabling Cross Origin Requests in Web API

Is it possible to bypass "windows authentication windows pop" every time client tries to access any services.

You're likely looking for a Single Sign-On solution. They are non-trivial as well.

[Edit]

withCredentials and basicAuth properties on a CORS Enabled endpoint should bypass the challenge popup. I initially interpreted that question wrong.