question

DennisTabako-7035 avatar image
0 Votes"
DennisTabako-7035 asked ZhiLv-MSFT commented

ASP.NET Core 6 Server authorization - Having trouble with authorization

Hi,

I have an ASP.NET Core 6 application that serves as both a server and a client (aggregates data from various machines and serves data to a client). It needs Windows authentication for certain functionality so I have set that up. It also uses SignalR for certain functionality. The problem I have is this: my application needs Windows Authentication set to true in launchsettings.json. If I set also Anonymous Authentication to true on the aggregating server, I can take calls from Postman and the application deployed to the aggregated machines. But then SignalR can't make the connection between the web client and the aggregating server (InvalidOperationException - No authentication scheme specified). If I set Anonymous Authentication to false, SignalR is happy but Postman and my aggregated-machine app get 401.2 (unauthorized) when trying to call into the aggregating server. Is there any way to resolve this so both can work?

Thanks,
Dennis

dotnet-aspnet-core-webapi
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

If I set Anonymous Authentication to false, SignalR is happy but Postman and my aggregated-machine app get 401.2 (unauthorized) when trying to call into the aggregating server.

When using Postman to send the request, have you ever added the signature?

You could refer the following articles, for the windows Authentication, when using postman to send the request, it needs to use the Postman NTLM authentication:

Support for Windows Authentication

Pass NTLM with Postman

Postman 401 Unathorized using NTLM

0 Votes 0 ·

You are describing how every web application works. The browser (client) must follow the authentication/authorization scheme configured on the web server. The web server must follow the authentication/authorization scheme set on the application services/DB server.

You have not explained how the security is supposed to work which makes providing a solution rather difficult. A common scenario is the web applications are secured by an authentication cookie and web services are secured using OAuth/JWT. Database servers are secured by credentials.

Please read the Blazor security docs to find an authentication/authorization scheme that best fits your web application design.

ASP.NET Core Blazor authentication and authorization

The aggregate services should have documentation that explains how the security works. If you are the aggregate services owner then you need to tells us how the security works.


0 Votes 0 ·

Yeah, I'm definitely not up to speed on the web security stuff. I'm going to have to take a step back and just learn this stuff properly. Sometimes I tend to get stuck on a detail and try to work through that without taking in the whole concept. Thanks for setting me on that path. And thanks to you both for the links provided. After I go through the process, I'll come back to this if I have better/more specific questions.

0 Votes 0 ·
ZhiLv-MSFT avatar image ZhiLv-MSFT DennisTabako-7035 ·

Hi @DennisTabako-7035,
Any update about this problem? If you are using the OAuth/JWT authentication, when use Postman to send the request, it still need to add the token at the header or add the cookie (if you are using cookie to store the token). This is similar with using the Windows Authentication, in the Postman, you need to select the NTLM authentication and enter the username and password.

0 Votes 0 ·

0 Answers