• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 130
  • Last Modified:

Problem with windows auth and CORS when logon popup opens

Hello all, thanks in advance

I am having an issue that is very specific. I am not fully aware of all the entrapments of CORS and windows auth has, but I am trying to implement windows auth for SSO on a web project I am currently working on.

I have it working correctly up to a point.

There happens (intermittently) a deconnect and somehow the server loses the auth and asks for a logon (although it could also be the browser side that loses the info and pops open the logon ... I am not sure which ...). The logon popup screen looks enough like the one the windows OS would open up for you (either for browser CORS of local logon), and I use my credentials of the user logged on the windows machine, however I get wrong password / username error.... which doesn't make sense as I am correctly typing it in.

I am either not authenticating with a proper popup, or the auth is being done without proper info. I would like to know what sort of extra tools I could use to validate and debug this issue, as I am currently unable to reproduce this locally on my dev env. using visual studio, and this happens when deployed on the server.

I can always reproduce this bug by hitting F5 refresh, and then trying to do an action that requires auth. I wonder if there is just a setting missing in my config file on the server that says to allow creds to be reentered if ever a disconnect happens from the server.

btw- this web app has a offline feature, that allows a user to still work offline (SPA) and when back online, should be able to just reenter the creds (in the popup) and continue working as is. So far I have not yet had succes after the F5 refresh happens....otherwise works ok the rest of the time.
0
landerson999
Asked:
landerson999
  • 4
  • 2
2 Solutions
 
BigRatCommented:
The logon popup screen looks enough like the one the windows OS would open up for you

If so it implies that the server has sent a 401 "Authentication required" response.

however I get wrong password / username error.... which doesn't make sense as I am correctly typing it in.

because the Basic Authentication doesn't have that username and/or that password.

I can always reproduce this bug by hitting F5 refresh, and then trying to do an action that requires auth.

What are we loosing here? Session cookie or Jason Web Token?

I'd install something like Fiddler and look at the HTTP traffic going up and down the line, particularly after an F5.

PS: There is one small issue which has cost me a lot over the years and that is time synchronization. Check the time on the server and client.
0
 
landerson999Author Commented:
Thanks bigrat, i will check the time bewt. server and client.
I am not really worried about the F5, but more so the fact the IIS server could go down, and the user would need to keep their credentials live, when they return to the server once it is backup...

As far as I see it, it is almost like the IIS windows auth, needs to check internally with the browser (which it does its own thing for providing the creds) to see if there is a leftover authentication and reuse that, instead of asking a new ones, as after the drop, we dont even get to a page (which could have the angular storing the credentials) to be sent the info.

Maybe the cookie needs to have a forced value once the user goes offline, so that when the browser lands again on an active IIS page, it doesnt popup the login screen?

Thanks in advance
0
 
BigRatCommented:
I'd be interested to know what exactly is being sent in the headers on a request to the server when authenticated (the normal case). Fiddler should tell you that.
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
landerson999Author Commented:
I am not allowed to download any appss here at work. Sorry about that
0
 
landerson999Author Commented:
I found my own answer

At some point in the javascript code, window.onbeforeunload = null; was being called, forcing the client side to lose its credential info. In the interum, I have also found that we need to serialize as much info from the sessionstate server side, and that once the server has rebooted, we read the info back into the application.sessions.add and continue our merry way, although this can be auto enabled through the setting on IIS which is instead of InProc, becomes StateServer mode. It also helps to set the Application Initialization Module to run that first time with an inherent ping to have an app ready state for your site.
0
 
landerson999Author Commented:
I did more research which ended up landing me a 3 part solution.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now