Mysterious 401 challenge when using AJAX

Question

I have a .NET Core web app hosted on the net.

I'm using claims based auth via cookies:

When login success...

var principal = new ClaimsPrincipal();
var id = new ClaimsIdentity(user);
id.AddClaim(new Claim("ViewData", "Allowed"));
id.AddClaim(new Claim("TenantId", user.TenantId));
principal.AddIdentity(id);
await HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, principal);

This all works fine for every user apart from one - however, this one particular user (a 3rd party) is running into an auth popup in their browser (they've tried a few) when they interact with a particular page - every other page works fine.

This leads me to believe the issue is environmental, but I want to understand what could be happening here.

The only difference between the page in question and every other page is that this one does an AJAX post to a controller in order to save some data. The Home controller requires auth to view (or edit) the data.

[Authorize(Policy = "ViewData")]

The Ajax is your standard stuff

Razor:

$.ajax({
  type: 'POST',
  url: '@Url.Action("_Save", "Home")',
  dataType: 'json',
  contentType: 'application/json',
  data: ko.toJSON(viewModel.model()),
  success: function (result) {
  //... callback code etc

Checking the rendered JS shows that the AJAX call is relative to the current page and therefore isn't going to some strange URL

Raw JS:

$.ajax({
  type: 'POST',
  url: '/Home/_Save',
  dataType: 'json',
  contentType: 'application/json',
  data: ko.toJSON(viewModel.model()), // ... etc

I can see the cookie being included in the headers when I look in my browser:

accept: application/json, text/javascript, */*; q=0.01
accept-encoding: gzip, deflate, br
accept-language: en-GB,en-US;q=0.9,en;q=0.8
cache-control: no-cache
content-length: 4775
content-type: application/json
cookie: <cookie details here>

Unfortunately, it being a 3rd party I can't really connect to the machine to view the debug console for the browser.

The question I have really is a longshot - it sounds like it could be a proxy issue but I don't understand why making an AJAX call is any different to making the login POST request, unless of course my AJAX setup is missing some auth data that is required - maybe a header of some sort?

Has anyone seen something like this before?

Answer 1

I have seen issues somewhat like this, and they have generally been related to security settings. You might try looking into CSRF headers. It could be several things. This could include a local antivirus, on-machine firewall, anti-spyware, or other privacy / protection application. Since it is a single user, debugging it will be extremely difficult, and I would recommend you figure out how that user's security settings / applications vary from their colleagues'.

Adding your site to the trusted sites list in specific browsers may resolve the single issue. It's almost certainly something hidden in there.