Web API 2.1 Windows Authentication CORS Firefox

Question

Here's the scenario:

I created a web api project and an mvc project, like so:

http://www.asp.net/web-api/overview/security/enabling-cross-origin-requests-in-web-api

I installed CORS support via nuget and added the EnableCorsAttribute

I ran the project and everything worked as expected (GET, PUT, and POST) across Chrome, IE, and FireFox.

I then enabled Windows Authentication in the web api project (yes, i really need win auth in the api project). In order to get this to work, I added the xhrFields arg to my jquery.ajax call:

        $.ajax({
            type: method,
            url: serviceUrl,
            data: JSON.stringify(foo),
            contentType: 'application/json; charset=UTF-8',
            xhrFields: {
                withCredentials: true
            }
        }).done(function (data) {
            $('#value1').text(data);
        }).error(function (jqXHR, textStatus, errorThrown) {
            $('#value1').text(jqXHR.responseText || textStatus);
        });

In addition, I set the EnableCorsAttribute.SupportsCredentials property = true

I tested everything out. Chrome and IE worked, FireFox did not. Firefox receives a 401 in response to it's preflight (OPTIONS) request.

It seems as though FireFox is not making an attempt to authenticate with the service.

Has anyone found a solution to this problem?

Answer 1

I figured out a 2-part solution.

The issue is that when Firefox issues an OPTION request and is denied with a 401, it makes no further attempt to re-authenticate. This led me down a path to bypass authentication on all OPTION requests. I couldn't find much information on the subject, but I did find this:

401 response for CORS request in IIS with Windows Auth enabled

(Original page content quoted below)

Enabling NTLM Authentication (Single Sign-On) in Firefox

This HowTo will describe how to enable NTLM authentication (Single Sign-On) in Firefox.

How many of you have noticed that when you are using Internet Explorer and you browse to your companies intranet page that it will automatically authenticate you but when you use Firefox you will be prompted with a login box?

I recently, in searching for solutions to allow NTLM authentication with Apache, stumbled across how to set a preference in Firefox that will pass the NTLM authentication information to a web server. The preference is network.automatic-ntlm-auth.trusted-uris.

So how do you do it?

1) Open Firefox and type “about:config” in the address bar. (without the quotes of course)

2) In the ‘Filter’ field type the following “network.automatic-ntlm-auth.trusted-uris”

3) Double click the name of the preference that we just searched for

4) Enter the URLs of the sites you wish to pass NTLM auth info to in the form of:

http://intranet.company.com,http://email.company.lan

5) Notice that you can use a comma separated list in this field.

6) Updated: I have created VBScript that can be used to insert this information into a users prefs.js file by using group policy or standalone if for some reason you want to use it for that.

The script is available to be downloaded here.

After downloading the script you will want to extract it from the ZIP archive and then modify the line starting with strSiteList.

NOTE: This script will not perform its function if the user has Firefox open at the time the script is executed. Running the script through group policy will work without problem unless for some reason your group policy launches Firefox before the execution of this script.

You can read through the rest of the script for additional information. If you have questions, comments or concerns please let me know.

Based on that, I set Anonymous Authentication set to Enabled in the api project's settings (I still also had Windows Authentication set to Enabled).

After running the projects (mvc and api), I was prompted for credentials when issuing a CORS request. After supplying my credentials, I was able to make GET/POST/PUTS with Firefox successfully.

To eliminate the prompting of credentials in Firefox, I received a tip from Brock Allen that led me down the path of enabling NTLM authentication. I found a post here that offers instructions on how to make the appropriate settings change.

After adding 'http://localhost' to the network.negotiate-auth.trusted-uris setting, I am now able to issue CORS requests against all verbs using Firefox without prompting for credentials.