Skip to content

CORS and Windows Authentication

December 15, 2012

If you want to use windows authentication with CORS then a few things need to be configured properly.

First on the server in your CORS configuration you will need to allow credentials, which means emitting the Access-Control-Allow-Credentials=true response header from both preflight and simple CORS requests. If you’re using the CORS feature of the ThinkTecture.IdentityModel security library then all you’d need to do use the AllowCookies() option (I am thinking of renaming it to AllowCookiesAndCredentials() to be more descriptive).

Then in your client code (I’m assuming jQuery here) if you wish to support integrated windows authentication you simply need to tell jQuery (and consequently the XMLHttpRequest) that it is allowed to perform the authorization handshake (via the withCredentials flag):

$.ajax({
    url: url,
    type: "GET",
    data : {...},
    ...
    xhrFields: {
        withCredentials: true
    }
});

or if you’d prefer to do basic authentication and have the username and password to pass, you can do this:

$.ajax({
    url: url,
    type: "GET",
    data : {...},
    ...
    username: "username",
    password:"password",
    xhrFields: {
        withCredentials: true
    }
});

HTH

3 Comments leave one →
  1. Mauricio permalink
    January 6, 2014 7:46 pm

    Thanks, you save my day

  2. John permalink
    September 21, 2014 9:05 am

    This works great when using IE against an IIS server. However, neither Firefox nor Chrome will work. When the latter browsers send the HTTP OPTIONS request to get the CORS headers, IIS sends a 401 Unauthorized response to start authentification negotiation. Both Firefox and Chrome bail out at that point. Is there any way to get this to work with those browsers?

    • September 21, 2014 10:42 am

      Well, 401 on OPTIONS for CORS is the wrong response. If you think about it, without CORS then how could you know you could send credentials, and thus the 401 is premature. What you need is something in IIS (like a module) to do a proper CORS response (and prevent/change the 401).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: