English 中文(简体)
启用了 Windows Auth,对IIS 中的 CORS 请求401 响应401
原标题:401 response for CORS request in IIS with Windows Auth enabled

我试图在我的WebAPI项目中让 CORS 支持, 如果我能让匿名身份验证正常, 那么一切都会好起来, 但是由于Windows Auth+残疾匿名认证, Optoptions 的要求总是返回401个未经授权的回复。 请求地址在 DOMAIN 上,因此应该能够打电话, 是否有办法在不破坏Windows身份验证的情况下绕过这个问题?

最佳回答

发讯人:

如果您禁用匿名认证, IMS就会特意将401个请求归还给任何请求。 如果他们启用了 Windows 验证, 那么在这种情况下的 401 响应将会有一个 WWW- 授权信头允许客户启动认证握手。 问题就在于客户所使用的客户是否能够进行 Windows 验证 。

最后,似乎可能存在一个潜在的问题,即是否可能配置一个 URL, 这样允许一个动词( OPtions, 在本案中) 匿名访问, 但却需要其他动词的 Windows 认证。 IIS 不通过简单的配置支持这一点。 允许匿名和 Windows 认证, 设定拒绝匿名用户访问的内容的ACL, 然后配置有关 URL 的处理器映射, 以便它不核实与 URL 相关的文件的存在。 但是, 需要一些玩家才能确认这一点 。

问题回答

您只能允许匿名用户选择动词 。

<system.web>
  <authentication mode="Windows" />
    <authorization>
      <allow verbs="OPTIONS" users="*"/>
      <deny users="?" />
  </authorization>
</system.web>

根据W3C规格,浏览器排除了CORS飞行前的用户证书:IE 10 and 11 , 我使用ServiceStack而不是WebApi, 但这个方法也可以为你服务。

  1. Enabled Windows Integrated and Anonymous Authentication on IIS Web Site.
  2. Have a series of filters on the ServiceStack Pipeline,
    • For handling Cors and OPTIONS request, On Options request, I add necessary headers and end the request,
    • Filter for checking includng HttpRequest is Authenticated?,
    • etc filter,

在通过所有过滤器后,它执行服务。

< a href=" "https://gist.github.com/SathishN/e0f298b8679d028def0b" rel = "no follow" >CorsFeture.cs

< a href=>"https://gist.github.com/SathishN/50c5c717028b6bcaf405" rel=“nown't follow" >授权Filter

在我的AppHost, 在我的AppHost,

appHost.Plugins.Add(new CorsFeature());

appHost.RequestFilters.Add(AuthenticateFilter.Authenticate);

除了添加信头、 验证过滤器以检查认证的请求外, 我已修改 CorsFature 来处理选项请求!

对我来说(在与角JS或JQuery合作时),

$http.get("http://localhost:88/api/tests", {withCredentials :true})

在服务器上启用 CORS, 这是与微软. Owin. Cors 一起完成的, 来自核元的微软. Owin. Cors, 然后在启动中添加它, 如以下 :

public void Configuration(IAppBuilder app)
    {
        HttpConfiguration config = new HttpConfiguration();

        ConfigureOAuth(app);

        WebApiConfig.Register(config);
        app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);
        app.UseWebApi(config);

    }

参考文献:

我使用网络API和OWIN,我尝试了每一个建议的解决办法,但唯一有效的是:

//use it in your startup class
app.Use((context, next) =>
{
    if (context.Request.Headers.Any(k => k.Key.Contains("Origin")) && context.Request.Method == "OPTIONS")
    {
        context.Response.StatusCode = 200;
        context.Response.Headers.Add("Access-Control-Allow-Origin", new string[1] { "ALLOWED_ORIGIN" });
        context.Response.Headers.Add("Access-Control-Allow-Headers", new string[4] { "Origin", "X-Requested-With", "Content-Type", "Accept" });
        context.Response.Headers.Add("Access-Control-Allow-Methods", new string[5] { "GET", "POST", "PUT", "DELETE", "OPTIONS" });
        context.Response.Headers.Add("Access-Control-Allow-Credentials", new string[1] { "true" });

        return context.Response.WriteAsync("");
    }

    return next.Invoke();
});

//this is important! Without it, it didn t work (probably because the middleware was too late)
app.UseStageMarker(PipelineStage.Authenticate);

you need to insert this code somewhere in one of your OWIN startup classes. It s important to call app.UseStageMarker(PipelineStage.Authenticate) because otherwise the preflight check failed. Further infos for UseStageMarker -> https://learn.microsoft.com/en-us/aspnet/aspnet/overview/owin-and-katana/owin-middleware-in-the-iis-integrated-pipeline

同样重要的是,您需要明确定义允许的页眉。如果使用作为占位符,则会失败。

也许对某人有帮助

我知道这是一个老问题,有若干可能的解决办法(以及更多的问题),

https://blogs.iis.net/isteam/istroduction-iis-cors-1-0

< a href=>https://learn.microsoft.com/en-us/iis/extensions/cors-module/cors-module-configation-referr> >https://learn.microsoft.com/en-us/iis/extensions/cors-module/cors-module-configation

您可以通过 IIS Windows 平台安装( WPI) 下载它。 这将解决您的 CORS 认证问题 。 请享用!

IIS 扩展( < a href="https://www.iis.net/downloads/microsoft/is-cors-module" rel= "nofollow norefererr" >IIS CORS CORS 模块 ) 帮助我解决了401个未经授权的飞行前请求, 请求是使用 Windows 认证启用的 IIS 托管程序。 安装了这个模块后, 我安装了 IISRESET, 并在 Web. config 文件中添加了以下内容:

<configuration>
    <configSections>
        <!-- ... (configSections must be the first element!) -->
    </configSections>
    <system.webServer>
        <cors enabled="true">
            <add origin="http://localhost:3000" allowCredentials="true" maxAge="120">
                <allowHeaders allowAllRequestedHeaders="true"/>
                <!-- Added  allowMethods  just in case. -->
                <allowMethods>
                    <add method="HEAD"/>
                    <add method="GET"/>
                    <add method="POST"/>
                    <add method="PUT"/>
                    <add method="DELETE"/>
                    <add method="OPTIONS"/>
                </allowMethods>
            </add>
        </cors>
    </system.webServer>
</configuration>

Here you can find more information on how to configure the IIS CORS Module: Getting started with the IIS CORS Module.

  • instal < a href=" https://www.iis.net/downloads/microsoft/iis-cors-module" rel=“不跟随 nofollow noreferrer"> iis cors 模块 在您的 iis 上 。

  • 在 WebApi 中添加 :

public static void Register(HttpConfiguration config)
{
    var cors = new EnableCorsAttribute("*", "*", "*");
    cors.SupportsCredentials = true;
    config.EnableCors(cors);
}
  • add this lines to your web.config:
  <configuration>
    <system.webServer>
        <cors enabled="true" failUnlistedOrigins="true">
            <add origin="*">
               <allowHeaders allowAllRequestedHeaders="true">
                    <add header="Access-Control-Allow-Origin" />
                    <add header="Access-Control-Allow-Headers" />
                    <add header="Access-Control-Allow-Methods" />
                </allowHeaders>
            </add>
        </cors>
    </system.webServer>
  </configuration>

更多信息,见文章。

  • add xhrFields: {withCredentials: true} to your ajax call.

在 WebApiConfig. cs 中,

public static void Register(HttpConfiguration config)
{        
    //enable cors request just from localhost:15136 
    var cors = new EnableCorsAttribute("http://localhost:15136", "*", "*");
    cors.SupportsCredentials = true;
    config.EnableCors(cors);

    //other stuff
}

https://www.asp.net/web-api/overview/security/enbling-cross-sross-stext-resources-in-web-api>

从 Javascript (





相关问题
Caching of images and script in the _layouts directory

I am trying the figure out why the images (or js, or css) in the _layouts directory are not cached by either IE or FF. The authentication on the site collection is NTLM. The _layouts folder has ...

Why is kerberos defaulting to NTLM in WCF?

Got a simple WCF demo app that has two console projects--host and client. Both are running on my machine (win 7 box). I m using the netTcpBinding, which uses windows authentication. The issue is ...

WCF - How to configure netTcpBinding for NTLM authentication?

I know how to configure basicHttpBinding for NTLM authentication, but can t figure out a way to do the same for netTcpBinding. Does netTcpBinding support NTLM? If so, how to force WCF service to use ...

Squid asks for username and password when using NTLM

I have a proxy running squid and dansguardian on Ubuntu 9.10 server. It is joined to active directory and login succeeds. I ve setup squid and dansguardian to use ntlm and it seems working. When I try ...

Active Directory and NTLM Authentication

I m writing an IIS Application, which manages AD users. For this purpose I ve configured site to use Negotiate AuthenticationProvider, and everything works. I wonder, is NTLM suitable for operations ...