IIS Windows Auth Intermittent 401.1

[arj01a]

Expected Behavior / New Feature

Ocelot should be working with Windows Authentication

Actual Behavior / Motivation for New Feature

Ocelot should be working with Windows Authentication

Steps to Reproduce the Problem

I have deployed the Gateway on IIS with anonymous. The service is deployed on IIS with windows authentication.

I managed to get this working with one issue that all requests were being made under the first user. To solve this I enabled authPersistSingleRequest=True

This caused a subsequent issue whereby when making multiple requests (approx. 6 or more) in quick succession some of the requests receive a 401.1 error "The token supplied to the function is invalid".

I have tested setting authPersistSingleRequest=True without using the Gateway and this works without the above issue.

Please can you assist me with this issue?

Specifications

• Version: 23.3
• Platform: Windows 2016 IIS 10
• Subsystem:

[raman-m]

Dear @arj01a, Who are you? Why is your account anonymous?

[arj01a]

Hello, I am software engineer trying to use Ocelot as a Gateway. This is my first post on GitHub. I would appreciate any assistance. Thanks

[raman-m]

I mean, what's your full name? What's your LinkedIn? We don't accept issues from anonymous GitHub users.

[raman-m]

Duplicate of #657

[raman-m]

I managed to get this working with one issue that all requests were being made under the first user. To solve this I enabled authPersistSingleRequest=True

For a detailed explanation, refer to the comment in this issue: https://github.com/ThreeMammals/Ocelot/issues/657#issuecomment-606496289. The pull request #1521 should address the problem with any Windows Authentication issues.

I have tested setting authPersistSingleRequest=True without using the Gateway and this works without the above issue. Please can you assist me with this issue?

Consider the following workaround until merge #1521 is complete: you'll need to define two routes for Windows authentication:

• The first is an anonymous route without authentication options. You may need to implement a coding hack to include UseDefaultCredentials in the delegating handler.
• The second is for after you've received the Windows authentication artifacts (tokens, cookies), at which point you call another authenticated route.

This method should be applicable for any authentication providers and custom authentications not integrated into Ocelot. I hope this is helpful!

[raman-m]

Will be fixed by https://github.com/ThreeMammals/Ocelot/pull/1521

[arj01a]

Thanks for the information, I will give the workaround a try with setting UseDefaultCredentials in the delegating handler

[raman-m]

Good luck!

[arj01a]

Just a quick update. I have managed to get the gateway working with Windows Authenication on IIS, here are the steps if it helps someone in the future

IIS Gateway => Windows Authentication IIS Service => Windows Authentication

authPersistSingleRequest=False

1. Implemented a Delegating Handler to set UseDefaultCredentials
2. Set the Http Handler Option "PooledConnectionLifeTime" to 0 (so not to reuse an existing connection).
3. Set the value BackConnectionHostNames in the registry => key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 to my site. (this step is only relevant if you host the gateway and the service on the same computer).

All steps had to be completed for the gateway to work with my set-up.

Thanks for your help and guidance.

[raman-m]

Congratulations, anonymous user! Your journey with IIS has concluded. However, this solution is not applicable for self-hosted scenarios such as Kestrel in Docker.