0

We have a HttpSys listener which should accept authentication as either NTLM, Negotiate or JWT.

Problem is that it looks like HttpSys rejects both preflight messages and messages with Bearer token (JWT)

Our listener is build like this

        _host = new WebHostBuilder()
            .UseHttpSys(options =>
            {
                options.Authentication.Schemes = AuthenticationSchemes.NTLM | AuthenticationSchemes.Negotiate;
                options.Authentication.AllowAnonymous = false;
            })
            .UseUrls($"http://+:{PortNo}/")
            .UseUnityServiceProvider(IocContainer)
            .ConfigureServices(services => { services.AddSingleton(_startUpConfig); })
            .UseStartup<StartUp>()
            .Build();

We add CORS and Authentication to services:

    public void ConfigureServices(IServiceCollection services)
    {
        services.AddCors(o => o.AddPolicy("AllowAll", builder =>
        {
            builder.AllowAnyOrigin().AllowAnyMethod().AllowAnyHeader().AllowCredentials().WithOrigins("*");
        }));

        services.AddAuthentication(o =>
        {
            o.DefaultAuthenticateScheme = HttpSysDefaults.AuthenticationScheme;
            o.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
        })
            .AddJwtBearer(o =>
            {
                o.Events = new JwtBearerEvents { OnTokenValidated = context => AuthMiddleWare.VerifyJwt(context, _jwtPublicKey) };
            });

We run an angular application in Chrome, which is rejected with the following error message "Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. "

Also any Bearer token message is rejected. Debugging reveals that our code to verify JWT bearer is never reached (AuthMiddleWare.VerifyJwt)

My guess is that HttpSys rejects any message not carrying Either Ntlm or Negotiate token. Only I have no idea how to fix that

In .net Framework we used the AuthenticationSchemeSelectorDelegate to run the following code, which allowed OPTIONS messages and messages with Bearer token to pass through the HttpSys listener

    public AuthenticationSchemes EvaluateAuthentication(HttpListenerRequest request)
    {
        if (request.HttpMethod == "OPTIONS")
        {
            return AuthenticationSchemes.Anonymous;
        }

        if (request.Headers["Authorization"] != null && request.Headers["Authorization"].Contains("Bearer "))
        {
            return AuthenticationSchemes.Anonymous;
        }

        return AuthenticationSchemes.IntegratedWindowsAuthentication;
    }
Improve this question
2
  • Do you call app.UseCors()? Do you decorate your controller/action with EnableCors attribute?
    – Maxim Tkachenko
    Commented Aug 14, 2019 at 8:45
  • Yes we use app.UseCors("AllowAll"); We had not used the EnableCors attribute. Just tried it. It didn't make any difference. Debug shows we never enter the pipeline. The request never comes out of HttpSys. So a Controller Attribute would not fix this. Thanks
    – Torben Nielsen
    Commented Aug 14, 2019 at 9:31

1 Answer 1

Reset to default
0

We have this working now. Basically the problem was that allowing all three authentication methods is not a supported scenario in Asp Net Core.

So the trick was to implement our own authentication in the pipeline.

Also see this github issue: https://github.com/aspnet/AspNetCore/issues/13135

Improve this answer

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged or ask your own question.