使用NTLM安全的AngularJS调用WebAPI2服务。

时间:2022-02-05 13:31:21

I have two projects; one is an MVC project using angular (so not real MVC) and the other is a WebAPI2 project with various controllers feeding data to and accepting data from the first project.

我有两个项目;一个是使用角度(所以不是真正的MVC)的MVC项目,另一个是一个WebAPI2项目,它有各种各样的控制器来提供数据,并从第一个项目中接受数据。

The first project is using angular's $http to query the WebAPI service:

第一个项目是使用角的$http查询WebAPI服务:

var request = $http({
        method: "GET",
        url: "http://localhost:1234/api/Entity/",
        json: true,
        crossDomain: true,
        datatype: 'json',
        params: { action: "get" },
        withCredentials: true
    });

When this runs in IE10, the data is returned without any problem at all. However, running this in Chrome or Firefox results in a 401 error. I've used Fiddler to examine the difference between the requests and have narrowed it down to the Authorization header. The IE request looks like this:

在IE10中运行时,返回的数据没有任何问题。然而,在Chrome或Firefox中运行这个程序会导致401错误。我使用Fiddler检查请求之间的差异,并将其缩小到授权头。IE请求如下:

GET http://localhost:1234/api/Entity?action=get
HTTP/1.1
Referer: http://localhost:1234/Home
Accept: application/json, text/plain, */*
Accept-Language: en-GB
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64;     Trident/6.0)
Connection: Keep-Alive
DNT: 1
Authorization: Negotiate oXcwdaADCgEBoloEWE5UTE1TU1AAAwAAAAAAAABYAAAAAAAAAFgAAAAAAAAAWAAAAAAAAABYAAAAAAAAAFgAAAAAAAAAWAAAABXCiOIGAbEdAAAAD+mN4751DVFNv2xW6c59dCajEgQQAQAAAPUXp1AtIpqEAAAAAA==
Host: localhost:58843

From what I can gather, the format of the token indicates that it is using NTLM security. Is there something I can do to pass force this Authorization header to be sent via the $http request?

从我所收集的信息来看,令牌的格式表明它正在使用NTLM安全性。我是否可以通过$http请求来传递强制这个授权头?

I can't see that there is any security specified in the WebAPI service (I've inherited this project in the last couple of days so am not entirely familiar with it yet); is the Authorization header being sent since it is a CORS request?

我看不到WebAPI服务中指定的任何安全性(我在过去几天继承了这个项目,所以还不完全熟悉它);由于是CORS请求,所以正在发送授权头吗?

I'm currently at the point of moving the WebAPI controllers into the first project to avoid any cross domain calls; perhaps this is the best thing to do given that this REST service will only be called by the MVC project?

我目前正在将WebAPI控制器移到第一个项目中,以避免任何跨域调用;如果这个REST服务只会被MVC项目调用,那么这可能是最好的选择。

Any help would be much appreciated!

非常感谢您的帮助!

2 个解决方案

#1


1  

Firefox (actually any browser other than IE) does not support native NTLM but you can get this to work with use of this add-on: https://addons.mozilla.org/en-US/firefox/addon/integrated-auth-for-firefox/

Firefox(实际上除了IE之外的任何浏览器)不支持本地NTLM,但是您可以使用这个附加组件:https://addons.mozilla.org/en- us/firefox/addon/integrated - authed -for firefox/

I use it and whitelist my internal domain and am able to make the same kind of calls from angular to WebApi as you can with IE. If you watch the network tab of the dev console you'll see the negotiation attempts with a couple 401 rejections before you get the 200, but that doesn't bubble up to your app until after negotiation is completed.

我使用它,并将我的内部域白名单,并能做同样的调用从角到WebApi,你可以用IE。如果你看一下开发控制台的network选项卡,你会看到在你收到200个之前,有几次401次拒绝的协商尝试,但是直到协商完成之后,才会出现在你的应用程序中。

#2


-1  

It seems to have something to do with either the order of the providers in IIS for the "Windows Authentication" option. The "Negotiate" providers needs to be removed from the list of providers and leave only NTLM. Please see article below for a step by step explanation on removing "Negotiate" from the list of providers in IIS. It worked for me.I hope it does for you. http://www.leftycoder.com/windows-authentication-chrome-iis/

它似乎与IIS中提供程序的“Windows身份验证”选项的顺序有关。“协商”提供者需要从提供者列表中删除,只保留NTLM。请参阅下面的文章,逐步解释从IIS中的提供者列表中删除“协商”。它为我工作。我希望对你有帮助。http://www.leftycoder.com/windows-authentication-chrome-iis/

#1


1  

Firefox (actually any browser other than IE) does not support native NTLM but you can get this to work with use of this add-on: https://addons.mozilla.org/en-US/firefox/addon/integrated-auth-for-firefox/

Firefox(实际上除了IE之外的任何浏览器)不支持本地NTLM,但是您可以使用这个附加组件:https://addons.mozilla.org/en- us/firefox/addon/integrated - authed -for firefox/

I use it and whitelist my internal domain and am able to make the same kind of calls from angular to WebApi as you can with IE. If you watch the network tab of the dev console you'll see the negotiation attempts with a couple 401 rejections before you get the 200, but that doesn't bubble up to your app until after negotiation is completed.

我使用它,并将我的内部域白名单,并能做同样的调用从角到WebApi,你可以用IE。如果你看一下开发控制台的network选项卡,你会看到在你收到200个之前,有几次401次拒绝的协商尝试,但是直到协商完成之后,才会出现在你的应用程序中。

#2


-1  

It seems to have something to do with either the order of the providers in IIS for the "Windows Authentication" option. The "Negotiate" providers needs to be removed from the list of providers and leave only NTLM. Please see article below for a step by step explanation on removing "Negotiate" from the list of providers in IIS. It worked for me.I hope it does for you. http://www.leftycoder.com/windows-authentication-chrome-iis/

它似乎与IIS中提供程序的“Windows身份验证”选项的顺序有关。“协商”提供者需要从提供者列表中删除,只保留NTLM。请参阅下面的文章,逐步解释从IIS中的提供者列表中删除“协商”。它为我工作。我希望对你有帮助。http://www.leftycoder.com/windows-authentication-chrome-iis/