Solved

Problem with windows auth and CORS when logon popup opens

Posted on 2016-08-12
6
52 Views
Last Modified: 2016-08-20
Hello all, thanks in advance

I am having an issue that is very specific. I am not fully aware of all the entrapments of CORS and windows auth has, but I am trying to implement windows auth for SSO on a web project I am currently working on.

I have it working correctly up to a point.

There happens (intermittently) a deconnect and somehow the server loses the auth and asks for a logon (although it could also be the browser side that loses the info and pops open the logon ... I am not sure which ...). The logon popup screen looks enough like the one the windows OS would open up for you (either for browser CORS of local logon), and I use my credentials of the user logged on the windows machine, however I get wrong password / username error.... which doesn't make sense as I am correctly typing it in.

I am either not authenticating with a proper popup, or the auth is being done without proper info. I would like to know what sort of extra tools I could use to validate and debug this issue, as I am currently unable to reproduce this locally on my dev env. using visual studio, and this happens when deployed on the server.

I can always reproduce this bug by hitting F5 refresh, and then trying to do an action that requires auth. I wonder if there is just a setting missing in my config file on the server that says to allow creds to be reentered if ever a disconnect happens from the server.

btw- this web app has a offline feature, that allows a user to still work offline (SPA) and when back online, should be able to just reenter the creds (in the popup) and continue working as is. So far I have not yet had succes after the F5 refresh happens....otherwise works ok the rest of the time.
0
Comment
Question by:landerson999
  • 4
  • 2
6 Comments
 
LVL 27

Assisted Solution

by:BigRat
BigRat earned 500 total points
ID: 41754766
The logon popup screen looks enough like the one the windows OS would open up for you

If so it implies that the server has sent a 401 "Authentication required" response.

however I get wrong password / username error.... which doesn't make sense as I am correctly typing it in.

because the Basic Authentication doesn't have that username and/or that password.

I can always reproduce this bug by hitting F5 refresh, and then trying to do an action that requires auth.

What are we loosing here? Session cookie or Jason Web Token?

I'd install something like Fiddler and look at the HTTP traffic going up and down the line, particularly after an F5.

PS: There is one small issue which has cost me a lot over the years and that is time synchronization. Check the time on the server and client.
0
 

Author Comment

by:landerson999
ID: 41754909
Thanks bigrat, i will check the time bewt. server and client.
I am not really worried about the F5, but more so the fact the IIS server could go down, and the user would need to keep their credentials live, when they return to the server once it is backup...

As far as I see it, it is almost like the IIS windows auth, needs to check internally with the browser (which it does its own thing for providing the creds) to see if there is a leftover authentication and reuse that, instead of asking a new ones, as after the drop, we dont even get to a page (which could have the angular storing the credentials) to be sent the info.

Maybe the cookie needs to have a forced value once the user goes offline, so that when the browser lands again on an active IIS page, it doesnt popup the login screen?

Thanks in advance
0
 
LVL 27

Expert Comment

by:BigRat
ID: 41755406
I'd be interested to know what exactly is being sent in the headers on a request to the server when authenticated (the normal case). Fiddler should tell you that.
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 

Author Comment

by:landerson999
ID: 41755579
I am not allowed to download any appss here at work. Sorry about that
0
 

Accepted Solution

by:
landerson999 earned 0 total points
ID: 41756637
I found my own answer

At some point in the javascript code, window.onbeforeunload = null; was being called, forcing the client side to lose its credential info. In the interum, I have also found that we need to serialize as much info from the sessionstate server side, and that once the server has rebooted, we read the info back into the application.sessions.add and continue our merry way, although this can be auto enabled through the setting on IIS which is instead of InProc, becomes StateServer mode. It also helps to set the Application Initialization Module to run that first time with an inherent ping to have an app ready state for your site.
0
 

Author Closing Comment

by:landerson999
ID: 41763508
I did more research which ended up landing me a 3 part solution.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Technology Resume 7 66
need help with share buttons 11 65
Debugging Html 8 31
Echo'd values in dropdowns 6 27
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Preparing an email is something we should all take special care with – especially when the email is for somebody you may not know very well. The pressures of everyday working life stacked with a hectic office environment can make this a real challen…
This video teaches viewers how to create their own website using cPanel and Wordpress. Tutorial walks users through how to set up their own domain name from tools like Domain Registrar, Hosting Account, and Wordpress. More specifically, the order in…
Learn how to set-up PayPal payment integration in your Wufoo form. Allow your users to remit payment through PayPal upon completion of your online form. This is helpful for collecting membership payments, customer payments, donations, and more.

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question