I have an application that is broken up into 3 tiers. I have Identity Server 4, a Web API and a C# Razor/MVC (.NET 5) application deployed separately all on the same domain. There is a reverse proxy setup to route requests for each to their own server. So www.somedomain.com/IdentityServer, www.somedomain.com/MVC and www.somedomain.com/api.
I am using Identity Server to authenticate and we can successfully do so without an issue. However when I try to call one of the API endpoints (which are decorated with the [Authorize] attribute) from the C# Razor/MVC application I get a 'Authorization failed! Given Policy has not been granted' error.
When I run the same endpoint that the C# Razor app consumes using swagger/postman (after I've been authorized and get a token) I have no problem returning returning valid results, so the issue seems to be related my authentication between the Razor app and Web API.
When I run these 3 tiers locally in Visual Studio (all with localhost but a different port #), it all works just fine.
Any thoughts or additional information needed to give me some ideas of what the issue may be? Thank you so much in advance for your help.
Related
I'm pretty new to Azure, and I wanted to get familiar with using Azure AD auth as an authentication provider for a dotnet core web app.
I followed this tutorial: https://learn.microsoft.com/en-us/azure/app-service/tutorial-auth-aad?pivots=platform-linux
It worked as described, but I have to be missing something, because the way it's deployed doesn't make any sense to me.
The "starting point" tutorial code is this repo, here: https://github.com/Azure-Samples/dotnet-core-api
It's a simple dotnet core web app that hosts an Angular frontend. Through the course of the tutorial, you make some changes to get the "frontend" to talk to the "backend", and you add two remotes to your Git repo - frontend and backend - but they're on the same repo.
As I understand it, at the end of this tutorial, I have two nearly-identical Azure App Service instances running in my Azure resource group. They are both running the same code. Both include the full-stack application - both are hosting a Kestrel or HTTP.sys (or whatever) instance on port 443 at their respective .azurewebsites.net URL - both show my index.html page - but one is supposed to be the "frontend" and the other is supposed to be the "backend". The only thing different about the "frontend" and "backend" is that the "backend" has an identity provider configured, and the "frontend" has API permissions granted to it from the "frontend".
Is it really necessary to have the whole service running in both places? Is there a way to host the actual dotnet core API service as an App Service, host the HTML / JS / CSS separately as an Azure Static Page (or something similar), and still configure the identity provider? Or does it have to be like this? It seems like overkill, from a technical standpoint, as well as from a billing standpoint.
As #Caius Jard mentioned, we can include both of them in a single solution. We can actually use MVC Web Application in this case where we can create a frontend in view and write the actual code in control. If we are using a core application then we can create the backend and frontend in two environments such as Angular for Frontend and .Net core for Backend and integrate them.
REFERENCES:
Azure AD Authentication For MVC Web Application (c-sharpcorner.com)
Angular and .Net core - Azure AD authentication | The-worst.dev
I have a WCF Service written for .NET Framework 4.7.2 at http://wcfservice.mydomain.com/service.svc
I also have a REST API written for .NET Core 3.1 at http://api.mydomain.com/
REST API has methods which act as transparent proxies which call WCF Service endpoints to fetch data. I have created the ServiceReference.cs in the REST API project via svcutil.
When I run the WCF Service both on Visual Studio 2019 and remote server IIS it works OK. No problems.
When I run these two projects on my local PC everything still seems OK. REST API works perfectly, calls data from WCF service and return response correctly. But when I move these two projects to the remote server IIS when I call the REST API it returns "The remote server returned an unexpected response: (405) Method Not Allowed" error.
Another strange thing is that for another project I use the same approach for a different REST API which works as a proxy to another WCF service hosted on the same remote server IIS, there is absolutely no problem and it works fine.
I have made some research and found no exact match for my case. Nobody faced this error while calling the WCF Service from a REST API. For the rest people mainly suggest two things : "Modification on Web.Config file" or "Adding WCF Activation".
First of all since I am using auto-generated code by svcutil I am not using a Web.config file which hold Service parameters and not sure to modify where and how.
Secondly, When I check the IIS I see that "HTTP activation" is already enabled under "WCF services" and I can not add "WCF HTTP Activation" under ".NET Framework 3.5". I face an error when I try to so.
Also I don't think these might be the solution because other projects on the IIS work well. I also checked application logs and Event Viewer logs but there is nothing helpful there.
I really appreciate a help on this issue.
Thanks in advance.
I have an existing MVC application that I inherited from someone else.
I am now trying to take some of the API calls from the old application and move them into a new application.
The problem is, when the MVC application tries to call the API calls in the new application, it gets a 401.2 (unauthorised) response.
I have read that 401.2 means that the front end and the back end are using different authentication protocols, which would make sense to me.
Here is a snip of the response headers for the account call in the new application:
and here is a snip of the same response headers when calling the same API from the old application:
This looks to me like they are using different protocols - am I correct? The main difference seems to be the 'WWW-Authenticate:Negotiate' on the failed request - but I do not know how I can fix this?
If so, can anyone advise what I need to change in my MVC project to make it use the Auth type of the first project?
Both aps use the same database if that is any help?
I know this question is a bit vague, but I have no idea where to look to fix this.
Any help would be greatly appreciated...
You would need a Single Sign-on to maintain your credentials through different apps, you could:
Use Identity Server 4 or Identity Server 3 To generate token credentials for you WEB API Projects.
MVC
JS
User Forms authentication on your mvc Projects:
Example
Use cookie based Authorization:
Cookie authorization with OWIN
I recommend Using Identity Server.
.I have a server within windows domain. Within that server there is IIS 7.5 installed.
IIS serves requests to one web application for which NTLM windows authentication and impersonation are enabled. App pool is separate and has 2.0 version. Application has single-page front-end part. So user enters front-end part, enters credentials and works with it. Nothing especial here, for sure.
Recently I've added one more web service which is hosted also by IIS on another port in a separate app pool with 4.0 version.
What I need is - sending requests from first app via Ajax to this new app, passing through windows auth. Of course - without additional prompt.
The idea is - front-end from first app should send requests to this new one app via jquery ajax, passing through credentials.
What are the recommendations to achieve it without SSO etc.?
Should I look for something like reverse proxy or there is something more obvious?
Thanks in advance.
Ok. I'll put my own answer here.
So, the idea how NTLM works was absolutely clear. That's why the questions was asked.
As result - to achieve pass through on different web apps using NTLM - not possible. Because of how NTLM works and double-hop issue (http://blogs.msdn.com/b/knowledgecast/archive/2007/01/31/the-double-hop-problem.aspx)
Finally I came up with such solution:
- Created child application in a separate .NET 4 app pool.
- Sent all the requests from parent to that child.
In this case authentication is passed through without issues, of course.
The only one problem here is related to the fact that two services have to live within one IIS server and have this parent-child relation.
We have a web application developed in MVC 4 using Razor (.Net framework 4) and we have another web application developed using .net framework 2.0 without MVC.
We are sharing form authentication using machine key and we are sharing sessions between both application by changing the application name in global.asax.
When we run our project in local environment and in local IIS aswell both of them is working normally and all the multiple requests are processed and completed as usual.
But when we publish our project in IIS hosting server form authentication, session sharing and everything is working normally for a while but after sending multiple requests the MVC doesnot seem to process the request and its blocked so we are not able to send new requests.
Can any one please help us resolve this issue and explain where actually the problem is arising?
Thank you