I have a ASP.NET website using Form Based Authentication and validates users from Active Directory. I have a separate Restful WCF service that is Windows Authenticated. Below is its endpoint:
<bindings>
<webhttpbinding>
<binding name="RestBinding" maxreceivedmessagesize="2147483647">
maxBufferPoolSize="2147483647">
<readerquotas maxdepth="2147483647" maxarraylength="2147483647">
maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647"
maxStringContentLength="2147483647" />
<security mode="Transport">
<transport clientcredentialtype="Windows" />
</security>
</readerquotas></binding>
</webhttpbinding>
</bindings>
Both sites need to be on HTTPS. I am making cross domain call to REST service from ASP.NET site. Everything is working great if the service is Anonymous and on HTTP. The moment I bind SSL to Service and enable Windows authentication on it, I start getting 401 Authentication failure in ASP.NET site.
I even tried passing the FBA username to WCF service and forcing login but it did not work. See code below:
protected void Application_AuthenticateRequest(object sender, EventArgs e)
{
HttpContext.Current.User = new WindowsPrincipal(new
WindowsIdentity(Request["Login_User"].ToString()));
}
And I have the CORS headers in place:
protected void Application_BeginRequest(object sender, EventArgs e)
{
if (Request.ServerVariables["HTTP_ORIGIN"] != null)
HttpContext.Current.Response.AddHeader("Access-Control-Allow-Origin", Request.ServerVariables["HTTP_ORIGIN"]);
else if (Request.UrlReferrer != null)
{
Uri urlOrgin = new Uri(Request.UrlReferrer.AbsoluteUri);
HttpContext.Current.Response.AddHeader("Access-Control-Allow-Origin", urlOrgin.ToString().Replace(urlOrgin.PathAndQuery, string.Empty));
}
else
HttpContext.Current.Response.AddHeader("Access-Control-Allow-Origin", "*");
HttpContext.Current.Response.AddHeader("Access-Control-Allow-Credentials", "true");
if (HttpContext.Current.Request.HttpMethod.ToUpper() == "OPTIONS")
{
HttpContext.Current.Response.AddHeader("Access-Control-Allow-Methods", "POST, PUT, DELETE, GET, OPTIONS");
HttpContext.Current.Response.AddHeader("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Authorization");
HttpContext.Current.Response.AddHeader("Access-Control-Max-Age", "1728000");
HttpContext.Current.Response.AddHeader("Access-Control-Expose-Headers", "WWW-Authenticate");
HttpContext.Current.Response.End();
}
}
Look at my jquery call:
$.ajax({
type: "GET",
url: surl,
dataType: "json",
contentType: 'application/json; charset=utf-8',
data: JSON.stringify({ Login_User: "xxxx.xxxx" }),
xhrFields: {
withCredentials: true
},
success: function (data) {
alert(JSON.stringify(data));
},
error: function (a) {
alert(JSON.stringify(a));
}
});
I even tried the NTLM.js but no result. Please help get past this.