6

I have a website and api hosted on IIS 8.5 and lately users of the site are getting the following console error when attempting to POST data to the api when using Microsoft Edge:

HTTP401: DENIED - The requested resource requires user authentication. (XHR)OPTIONS - http://my-local-address/api/customers/approval/post

Note: Users are authenticated by using Windows Authentication.

This occurs spontaneously and to get around the issue the users are forced to do a hard refresh (Ctrl + F5) on MS Edge and then they can continue with their process. Could there be a setting on IIS that's releasing the user authentication after a period of time?

I've listed my attempts to resolve the issue below:

  • I've got my organisation to add in a trusted policy for my local web address.
  • Changed the providers of the API. Moved NTLM above Negotiate.
  • Removed Negotiate based on this stackoverflow post Windows authentication failing in IIS 7.5.
  • Try and catch the error from the POST request but I'm returning null every time.
  • Configured CORS to allow for cross origin.

NB: I'm using angularjs for my front end and ASP.NET Web API 2 for the API.

The following code snippet details how the Web Api is configured:

WebApiConfig.cs

var cors = new EnableCorsAttribute("*", "*", "*") { SupportsCredentials = true };
config.EnableCors(cors);

Web.config

  <system.web>
    <identity impersonate="true" />
    <compilation debug="true" targetFramework="4.5.1">
      <assemblies>
        <add assembly="System.Data.Entity, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
      </assemblies>
    </compilation>
    <httpRuntime targetFramework="4.5.2" />
  </system.web>
  <system.webServer>
     <validation validateIntegratedModeConfiguration="false" />
     <handlers>
        <remove name="ExtensionlessUrlHandler-Integrated-4.0" />
        <remove name="TRACEVerbHandler" />
        <remove name="OPTIONSVerbHandler" />
        <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
     </handlers>
  </system.webServer>

Angular module config using $httpProvider to supply $http requests with credentials

$httpProvider.defaults.withCredentials = true;
Aleksey Solovey
  • 4,153
  • 3
  • 15
  • 34
slee423
  • 1,307
  • 2
  • 20
  • 34
  • 3
    Also having this issue on Edge 18/IE11 on Windows 10 with an Angular 5 application. I can log in fine on all other browsers – Chris Barr Mar 04 '19 at 14:59
  • @ChrisBarr did you ever figure it out? I'm having the same issue as you – sbattou Mar 28 '19 at 13:44
  • @sbattou sorry but no - best we could figure is that it was an issue with "secure cookies" not being set up properly on my dev machine... but we never really looked into it any farther – Chris Barr Mar 28 '19 at 14:08
  • @ChrisBarr was it working properly on other peoples machines? – sbattou Mar 28 '19 at 14:11
  • I think so... I am the newest developer at my organization and there is not a well documented setup process yet, so we might have missed something. – Chris Barr Mar 28 '19 at 14:21
  • @ChrisBarr I just posted a question if you want to check it out https://stackoverflow.com/questions/55405714/windows-authentication-not-showing-login-popup-when-not-authenticated-on-edge-an – sbattou Mar 28 '19 at 19:48

0 Answers0