Calling WebAPI2 service from AngularJS with NTLM security

Question

I have two projects; one is an MVC project using angular (so not real MVC) and the other is a WebAPI2 project with various controllers feeding data to and accepting data from the first project.

The first project is using angular's $http to query the WebAPI service:

var request = $http({
        method: "GET",
        url: "http://localhost:1234/api/Entity/",
        json: true,
        crossDomain: true,
        datatype: 'json',
        params: { action: "get" },
        withCredentials: true
    });

When this runs in IE10, the data is returned without any problem at all. However, running this in Chrome or Firefox results in a 401 error. I've used Fiddler to examine the difference between the requests and have narrowed it down to the Authorization header. The IE request looks like this:

GET http://localhost:1234/api/Entity?action=get
HTTP/1.1
Referer: http://localhost:1234/Home
Accept: application/json, text/plain, */*
Accept-Language: en-GB
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64;     Trident/6.0)
Connection: Keep-Alive
DNT: 1
Authorization: Negotiate oXcwdaADCgEBoloEWE5UTE1TU1AAAwAAAAAAAABYAAAAAAAAAFgAAAAAAAAAWAAAAAAAAABYAAAAAAAAAFgAAAAAAAAAWAAAABXCiOIGAbEdAAAAD+mN4751DVFNv2xW6c59dCajEgQQAQAAAPUXp1AtIpqEAAAAAA==
Host: localhost:58843

From what I can gather, the format of the token indicates that it is using NTLM security. Is there something I can do to pass force this Authorization header to be sent via the $http request?

I can't see that there is any security specified in the WebAPI service (I've inherited this project in the last couple of days so am not entirely familiar with it yet); is the Authorization header being sent since it is a CORS request?

I'm currently at the point of moving the WebAPI controllers into the first project to avoid any cross domain calls; perhaps this is the best thing to do given that this REST service will only be called by the MVC project?

Any help would be much appreciated!

Answer 1

Firefox (actually any browser other than IE) does not support native NTLM but you can get this to work with use of this add-on: https://addons.mozilla.org/en-US/firefox/addon/integrated-auth-for-firefox/

I use it and whitelist my internal domain and am able to make the same kind of calls from angular to WebApi as you can with IE. If you watch the network tab of the dev console you'll see the negotiation attempts with a couple 401 rejections before you get the 200, but that doesn't bubble up to your app until after negotiation is completed.