Windows Authentication and Web API 2
I've recently had a situation come up at work where I need to protect our ASP.NET Web API 2 deployment with Windows Authentication. We run our web client through Chrome and IE and we needed the NTLM negotiation to be handled gracefully. There are a few things that we had to put in place to get this to go. Here they are in list form. The code for both the problem and the solution is here on my github.
- API
- Add a custom header to the web config to allow the client to send us credentials
- Access-Control-Allow-Credentials
- Design a mechanism to configure allowed origins and respond to each request from acceptable domains with a proper Access-Control-Allow-Origin header value
- The approach I've taken is to:
- Create a custom config section to hold the acceptable domains
- Create a custom handler to pipe every request through
- Register the handler in App_Start
- The approach I've taken is to:
- Add a custom header to the web config to allow the client to send us credentials
- Javascript client
That's it!
UPDATE 3/2/2016:
When using angular, it's not necessary to send that config object per-request. I've modified the code on my
github to show that the $httpProvider
object can be configured to send credentials on every http request by default.