I have an AngularJS application which needs to talk to a service. The service is not set up to receive CORS requests so I have a ASP.NET WebAPI proxy, which receives requests from the AngularJS app and then calls the service.
Windows authentication is used. Credentials are passed in like this:
$http({
method: 'POST',
url: 'api/Query/',
data: data,
withCredentials: true
})
.success(function (response) {
args.success(response);
})
.error(function (data, status, headers, config) {
args.error(data.Message);
});
The WebAPI service then impersonates the principal, calls the service and returns the data:
[Authorize]
public class QueryController : ApiController
{
[Log]
[HttpPost]
public HttpResponseMessage Post([FromBody]object data)
{
var url= ConfigurationManager.AppSettings["URL"];
var windowsIdentity = (WindowsIdentity)HttpContext.Current.User.Identity;
using (windowsIdentity.Impersonate())
{
var searializedData = JsonConvert.SerializeObject(data);
using (var client = new WebClient { UseDefaultCredentials = true })
{
client.Headers.Add(HttpRequestHeader.ContentType, "application/json; charset=utf-8");
var responseBytes = client.UploadData(url, "POST", Encoding.UTF8.GetBytes(searializedData));
return new HttpResponseMessage
{
StatusCode = HttpStatusCode.OK,
Content = new ByteArrayContent(responseBytes)
};
}
}
}
}
The end service is a bit of a black box to me - I don't fully know and have no control of what is going on there.
Now when I make a call from IE, it makes the call successfully. When I make a call from Chrome, it successfully calls the WebAPI, but in the WebAPI, when it gets to the client.Upload(...) line, the end service responds with a 401 Unauthorised response.
If I put a breakpoint on the call and inspect the windowsIdentity on either a IE or Chrome call, the IsAuthenticated flag is set, AuthenticationType is 'Negotiate' and the Identity Name is my login, all as expected.
One thing that is different is the Claims, and in particular the Groups. When making a Chrome call, the following groups are included:
S-1-5-1139721481-3647981065-3646938227-513
S-1-1-0
S-1-5-32-545
S-1-5-2
S-1-5-11
S-1-5-15
And when I make an IE call, the following are provided:
S-1-5-1139721481-3647981065-3646938227-513
S-1-1-0
S-1-5-32-545
S-1-5-11
S-1-5-15
S-1-5-4
S-1-2-1
S-1-2-0
In fact, any successful call tends to have those last 3, and the unauthorised calls don't. These apparently have the following meaning:
SID: S-1-5-4 Name: Interactive Description: A group that includes all users that have logged on interactively. Membership is controlled by the operating system.
SID: S-1-2-0 Name: Local Description: A group that includes all users who have logged on locally.
SID: S-1-2-1 Name: Console Logon Description: A group that includes users who are logged on to the physical console.
I have experimented with different authentication providers, but this has not made a difference.
What is happening here and how do I prevent it?