启用 Windows 身份验证的 IIS 中 CORS 请求的 401 响应 [英] 401 response for CORS request in IIS with Windows Auth enabled
问题描述
我正在尝试在我的 WebAPI 项目中启用 CORS 支持,如果我启用匿名身份验证,那么一切正常,但是使用 Windows 身份验证 + 禁用匿名身份验证,发送的 OPTIONS 请求总是返回 401 未经授权的响应.请求它的站点位于 DOMAIN 上,因此应该能够拨打电话,有没有办法在不禁用 Windows 身份验证的情况下解决此问题?
I'm trying to enable CORS support in my WebAPI project, and if I enable Anonymous Authentication then everything works fine, but with Windows Auth + disabled anonymous authentication, the OPTIONS request sent always returns a 401 unauthorized response. The site requesting it is on the DOMAIN so should be able to make the call, is there any way to get around the issue without disabling Windows Authentication?
推荐答案
来自 MS:
如果您禁用匿名身份验证,IIS 会根据设计向任何请求返回 401.如果他们启用了 Windows 身份验证,则在这种情况下的 401 响应将具有 WWW-Authenticate 标头以允许客户端启动身份验证握手.那么问题就变成了客户使用的客户端是否可以进行 Windows 身份验证.
If you disable anonymous authentication, it’s by design that IIS would return a 401 to any request. If they have enabled Windows auth, the 401 response in that case would have a WWW-Authenticate header to allow the client to start an authentication handshake. The question then becomes whether the client that the customer is using can do Windows authentication or not.
最后,似乎可能存在一个潜在问题,即是否可以配置一个 URL,以便允许一个动词(在本例中为 OPTIONS)匿名访问,但其他动词需要 Windows 身份验证.IIS 不通过简单的配置来支持这一点.通过同时启用匿名和 Windows 身份验证,在拒绝匿名用户访问的内容上设置 ACL,然后为相关 URL 配置处理程序映射,使其不验证是否存在与 URL 关联的文件.但是需要一些时间来确认这一点.
Finally, it seems like there might be an underlying question about whether it’s possible or not to configure a URL such that anonymous access is allowed for one verb (OPTIONS, in this case), but require Windows authentication for other verbs. IIS does not support this through simple configuration. It might be possible to get this behavior by enabling both Anonymous and Windows authentication, setting ACLs on the content that deny access to the anonymous user, and then configuring the handler mapping for the URL in question so that it does not verify the existence of the file associated with the URL. But it would take some playing with it to confirm this.
这篇关于启用 Windows 身份验证的 IIS 中 CORS 请求的 401 响应的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
