Solved

Problem with windows auth and CORS when logon popup opens

Posted on 2016-08-12
6
27 Views
Last Modified: 2016-08-20
Hello all, thanks in advance

I am having an issue that is very specific. I am not fully aware of all the entrapments of CORS and windows auth has, but I am trying to implement windows auth for SSO on a web project I am currently working on.

I have it working correctly up to a point.

There happens (intermittently) a deconnect and somehow the server loses the auth and asks for a logon (although it could also be the browser side that loses the info and pops open the logon ... I am not sure which ...). The logon popup screen looks enough like the one the windows OS would open up for you (either for browser CORS of local logon), and I use my credentials of the user logged on the windows machine, however I get wrong password / username error.... which doesn't make sense as I am correctly typing it in.

I am either not authenticating with a proper popup, or the auth is being done without proper info. I would like to know what sort of extra tools I could use to validate and debug this issue, as I am currently unable to reproduce this locally on my dev env. using visual studio, and this happens when deployed on the server.

I can always reproduce this bug by hitting F5 refresh, and then trying to do an action that requires auth. I wonder if there is just a setting missing in my config file on the server that says to allow creds to be reentered if ever a disconnect happens from the server.

btw- this web app has a offline feature, that allows a user to still work offline (SPA) and when back online, should be able to just reenter the creds (in the popup) and continue working as is. So far I have not yet had succes after the F5 refresh happens....otherwise works ok the rest of the time.
0
Comment
Question by:landerson999
  • 4
  • 2
6 Comments
 
LVL 27

Assisted Solution

by:BigRat
BigRat earned 500 total points
ID: 41754766
The logon popup screen looks enough like the one the windows OS would open up for you

If so it implies that the server has sent a 401 "Authentication required" response.

however I get wrong password / username error.... which doesn't make sense as I am correctly typing it in.

because the Basic Authentication doesn't have that username and/or that password.

I can always reproduce this bug by hitting F5 refresh, and then trying to do an action that requires auth.

What are we loosing here? Session cookie or Jason Web Token?

I'd install something like Fiddler and look at the HTTP traffic going up and down the line, particularly after an F5.

PS: There is one small issue which has cost me a lot over the years and that is time synchronization. Check the time on the server and client.
0
 

Author Comment

by:landerson999
ID: 41754909
Thanks bigrat, i will check the time bewt. server and client.
I am not really worried about the F5, but more so the fact the IIS server could go down, and the user would need to keep their credentials live, when they return to the server once it is backup...

As far as I see it, it is almost like the IIS windows auth, needs to check internally with the browser (which it does its own thing for providing the creds) to see if there is a leftover authentication and reuse that, instead of asking a new ones, as after the drop, we dont even get to a page (which could have the angular storing the credentials) to be sent the info.

Maybe the cookie needs to have a forced value once the user goes offline, so that when the browser lands again on an active IIS page, it doesnt popup the login screen?

Thanks in advance
0
 
LVL 27

Expert Comment

by:BigRat
ID: 41755406
I'd be interested to know what exactly is being sent in the headers on a request to the server when authenticated (the normal case). Fiddler should tell you that.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:landerson999
ID: 41755579
I am not allowed to download any appss here at work. Sorry about that
0
 

Accepted Solution

by:
landerson999 earned 0 total points
ID: 41756637
I found my own answer

At some point in the javascript code, window.onbeforeunload = null; was being called, forcing the client side to lose its credential info. In the interum, I have also found that we need to serialize as much info from the sessionstate server side, and that once the server has rebooted, we read the info back into the application.sessions.add and continue our merry way, although this can be auto enabled through the setting on IIS which is instead of InProc, becomes StateServer mode. It also helps to set the Application Initialization Module to run that first time with an inherent ping to have an app ready state for your site.
0
 

Author Closing Comment

by:landerson999
ID: 41763508
I did more research which ended up landing me a 3 part solution.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

JavaScript can be used in a browser to change parts of a webpage dynamically. It begins with the following pattern: If condition W is true, do thing X to target Y after event Z. Below are some tips and tricks to help you get started with JavaScript …
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…
Wufoo.com provides powerful tools for surveying targeted groups, and utilizing data from completed surveys to find trends, discover areas of demand or customer expectation, and make business decisions on products or services.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now