locked
windows Auth Forgotten in API Context RRS feed

  • Question

  • User369345748 posted

    I am building a web APi 2 intranet app, using Windows Authentication : Web Config is set as below : 

    <authentication mode="Windows" />
    <identity impersonate="true"/>
    <authorization>
    <deny users="?" />
    etc...

    In Session_Start of Global Asax, the credentials are present under User.Identity.Name
    & var RoleList = Roles.GetRolesForUser(); returns a perfect list of roles defined through azman, including Role = "APIUser".

    When this redirects to the Home/Index, these  values are still present :
    http://localhost:1234/

    But, When I launch http://localhost:1234/API/MyFunc, the credentials in HttpContext.Current.User.Identity are null...So the function prompts for a login, when I try to apply an Authorization filter :

    [Authorize(Roles="APIUser")]
    public IQueryable<Employee> MyFunc(int id)

    How do I fix this, & ensure the id still exists

    Tuesday, July 21, 2015 12:03 PM

Answers

  • User369345748 posted

    I tried adding OWIN to the project, but it didn't fix things.   I looked into the code a bit more & found the following the WebApiConfig : 

    config.SuppressDefaultHostAuthentication();
    
    config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));


    These look like they overrode the  values in Web.Config & attempted to implement an OAuth Authentication instead.   The fact that they were in the WEBAPI Config , points to why the MVC app worked ok, & the API didnt.     Possibly I selected the wrong Authentication protocol.   I built a new WEBApi from scratch   & found that Api/Values now held on to my credentials,  &  the associated roles... .  So I used that to create some new controllers & that my Authorize filter now works too.  

    Thanks for your help

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, July 23, 2015 10:35 AM

All replies

  • User2024324573 posted

    Are you using OWIN middleware? Please refer to the post below:

    http://stackoverflow.com/questions/31078855/httpcontext-current-user-null-with-web-api-v2-only-project

    Hope this will help.

    Tuesday, July 21, 2015 11:57 PM
  • User369345748 posted

    I'd not explicitly added OWIN.. it was a new web api ( intranet ) project.  Thank you for the link - it certainly looks like the same symptoms

    Wednesday, July 22, 2015 4:20 AM
  • User369345748 posted

    I tried adding OWIN to the project, but it didn't fix things.   I looked into the code a bit more & found the following the WebApiConfig : 

    config.SuppressDefaultHostAuthentication();
    
    config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));


    These look like they overrode the  values in Web.Config & attempted to implement an OAuth Authentication instead.   The fact that they were in the WEBAPI Config , points to why the MVC app worked ok, & the API didnt.     Possibly I selected the wrong Authentication protocol.   I built a new WEBApi from scratch   & found that Api/Values now held on to my credentials,  &  the associated roles... .  So I used that to create some new controllers & that my Authorize filter now works too.  

    Thanks for your help

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, July 23, 2015 10:35 AM