I have an Angular 4 service that calls an OData API. I have my API setup to work using Windows Authentication, this works via IE (version 11) but not with Chrome, where it throws a:
Failed to load resource: the server responded with a status of 401 (Unauthorized)
This is followed followed by:
XMLHttpRequest cannot load http://gbldnrgaptest1:53219/User. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://gap' is therefore not allowed access. The response had HTTP status code 401.
I use the following methods to create my options for each request sent:
private GetOptions(): RequestOptionsArgs{
let options : RequestOptionsArgs;
options = {
headers : this.GetHeaders(),
withCredentials: true
};
return options;
}
private GetHeaders(): Headers {
let headers = new Headers();
headers.append("OData-Version","4.0");
headers.append("Content-Type","application/json;odata.metadata=minimal");
headers.append("Accept","application/json");
return headers;
}
On my API I have enabled CORS:
var cors = new EnableCorsAttribute(origins: "*", headers: "*", methods: "*", exposedHeaders: "*")
{
SupportsCredentials = true
};
config.EnableCors(cors);
I have also enabled Windows authentication in web.config:
<system.web>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
<authentication mode="Windows"></authentication>
</system.web>
My IIS is also set to only allow Windows Auth:
Anyone know what may I be missing?
I feel like it's a header issue; as when I simply run a get request in Chrome e.g. by navigating to http://gbldnrgaptest1:53219/User it returns just fine, SOAP UI works too once I add in NTLM authentication.
Made it work, I had to do the following:
Add following to Web.Config:
This was because the pre-flight request being sent out apparently does not send credentials, and this was causing the error to occur. Now that the above rules are set Anonymous Authentication needs to be turned back on; the rule set in Web.Config will then filter what goes through, allowing only OPTIONS request to be done Anonymously.