We have an controller method that is being called twice. The first time it is called we get the correct parameters, the second time it is called we get no parameters and the MVC engine throws an exception because the arguments to the method cannot be null.
We have seen this behaviour before when using certain versions of Safari and it was to do with authentication. When using windows authentication if the properties of the authentication in IIS were set to Negotiate and NTLM an ajax call would get sent once for each. The fix for this was to remove one (I think we just left it as NTLM). This is not the case as we are using forms authentication here.
We have also seen similar behaviour when calling WCF methods that were returning types that were derived and not using the KnownType attributes on the parent class.
We cannot reproduce this with any success (it's happening infrequently on a clients machine) and are looking for any general gotchas.
The reason the call is being called twice is because of a bug in Safari when working with Windows Authentication under IIS. Go to the Authentication settings of your website. Right click on Windows Authentication, choose providers and remove Negotiate, leaving NTLM which works fine. I haven't tested Kerberos.
This issue only appears in certain builds of safari.
Related
I currently have an asp.net web api 2 site hosted in IIS secured with windows authentication. A requirement has now come in for us to support client certificate authentication in addition to windows, and I'm struggling to find out:
- if this is possible at all
- if there are any working examples available
I thought might be able to add an additional owin middleware or messagehandler or filter, but can't see any existing ones that do this specifically for windows rather than just relying on IIS. I know thinktecture identitymodel can do client cert, but not sure if the two can be combined?
Example of forms +win that i thought might be similar is here https://techblog.dorogin.com/mixed-windows-forms-authentication-for-ajax-single-page-application-e4aaaac0424a
Right so I managed to figure it out. Thankfully, if a controller returns a 401, IIS automatically adds the negotiate/ntlm headers, so if a user is on a windows browser, it will then automatically authenticate as usual. So with that in mind, to keep windows auth working, I:
updated the site in both IIS and VS to allow anonymous AND windows auth
added the [AuthorizeAttribute] as a global action filter (which causes the 401 to be returned if the user is not authenticated by the time they hit the filter)
To get client certificate auth working, I used the magnificent Thinktecture.IdentityModel library, which allowed me to add only one line to my Startup.cs file (we're using OWIN so this was easy)
app.UseClientCertificateAuthentication();
See https://github.com/IdentityModel/Thinktecture.IdentityModel/blob/master/samples/OWIN/AuthenticationTansformation/KatanaAuthentication/Startup.cs for an example
We are working on an internal MVC3 app that purely uses Windows Authentication. There's a view that does an AJAX call to a controller action that does some processing before calling a web service. The problem we are running into is that if Anonymous access is turned off (as in Windows Authentication is on), calling the service from the controller actions results in a 401: Unauthorized error.
We have run into a problem of the double hop issue where credentials aren't passed correctly from server to server when calling a service within a service. I'm wondering if the AJAX call is somewhat mimicing the same behavior and not transmitting the correct Windows credentials to the controller which then doesn't pass the correct credentials to the web service.
I've seen some posts that shows how to pass a username and password along with the jQuery call but nothing mentions, an effective way, to bring along Windows Authentication with it.
Has anyone run into a similar issue? We would rather not leave Anonymous access on the web service as it is somewhat sensitive data that we would like to control access to.
Do you have identity impersonation turned on as described in this question:
How to get Windows user name when identity impersonate="true" in asp.net?
A colleague did some research over the weekend and determined it may have something to do with Kerberos authentication setup on the server as well as the jQuery call. In order to get around it, we just refactored the web service into a library that the application just references. We made it a web service initially as we thought in the future this data would need to be accessed from other applications. Running into this issue, we will most likely make it into a NuGet package.
Thanks for the comments.
I have an IHttpHandler which I'm running on an Windows Server 2008R2, and IIS 7.5 with integrated mode. The handler should handle file uploads, triggered by a jQuery-Ajax call.
First It did not work on IIS at all, only in the VS 2010 Debugger. Somehow I did manage to register the Handler correctly and I was able to debug the HttpHandler - BUT: Asp.Net Authentication wasn't working: it always said I wasn't logged in. When I directly access the HttpHandler it all works like a charm. Only the jQuery-Ajax call drops dead.
For further information: I'm using FormsAuthentication and it all is running inside an MVC 3 Application.
Could it be related to a missing AuthCookie? I've also read this Article, but it doesn't seem to help me out: MVC + Ajax call to Controller Loses Authentication
If you need any further information / code, just ask for it, I'll post it asap.
Could it be related to a missing AuthCookie?
Yes, it could, especially if your file upload component uses Flash it might not send the authentication cookie. You may take a look at the following article for a sample workaround which consists into sending the authentication cookie value in addition to the file in the request.
I am trying to do some screen scraping accessing a forms authenticated website. I was doing some tests on an asp.net forms authenticated site that I built and it worked just great. When I tried the real site I realized it was using some kind of an Oracle forms authentication (a fiddler showed a call to a dll instead of an html file. I suppose this dll provides the html result). What I see in fiddler is:
https://{domain}/access/oblix/apps/webgate/bin/webgate.dll
The rest of the call seems similar, cookie, user name and password, just like in the regular forms authentication.
Any idea on how to crack this type of request (to a dll instead of an html)?
(By the way, the result I get is some kind of an Oracle error).
With Forms Authentication the webserver issues the client with a cookie that is used to verify the client in future subsequent requests (HTTP Basic and Digest authentication requires the client to post the "WWW-Authorization" header on every request). Are you persisting your cookies between requests?
The file extension of the url is not important to how you make your request.
It sounds like your script needs to make a request identical to the ajax request made by your browser (and shown in fiddler).
I'm using MGTwitterEngine and OAuthConsumer frameworks. And mostly following the instructions at UsingOAuthConsumer.
In order to use OAuth and not have the user deal with the oob PIN based authentication, you need to enable a callback to the application. To do this on a desktop (or iOS) application, you need to set up a custom URI scheme that goes to an event handler in the app. I got this working, and tested it by using the custom URI in Safari. My app does open and the correct method is invoked. So far so good.
To do this for Twitter, you need to specify the callback URI in the settings for the application on Twitter's dev site. Here the problem starts. Twitter won't allow non-standard URIs. So "myapp://oauth/" is not allowed. It has to be an http or https URI. All the websites I referenced say to put a placeholder here, and override in the request token request. OK, so I put a dummy URL for my website here. Now to implement the override. Here's the code from one of the comments on how to so that:
OAMutableURLRequest *request = [[OAMutableURLRequest alloc] initWithURL:url
consumer:consumer
token:nil
realm:nil
signatureProvider:nil];
[request setOAuthParameterName:#"oauth_callback" withValue:#"callbackurl:"];
When I add that second method call, the request to twitter now fails. NSURLErrorDomain error -1012 or something similar (I forgot to write down the number).
I tried a number of ways, but was never able to override the callback URL. Does anyone have a sure-fire way of doing this? For now, I've changed the app to use the OOB PIN authentication method, but I'd sure like to remove that unnecessary step for the user.
Thanks!
joe
I finally gave up on the OAuthConsumer framework and switched to the Google GTMOAuth framework. That works fine.