ASP.Net Core 3.1 - IIS 10.0 - Windows Authentification

Question

I have banged head lately on a Authentication issue on IIS/Windows Server 2016. I have two websites, each running ASP.Net Core WEB API, let us call them A and B. Both sites are running with Anonymous disabled, and Windows Authentication enabled, this is done to be able to get the name of Windows User calling the WEB API.

Each site works nicely, including getting the Username of the Windows user calling the WEB API.

My issue is that Site A want's to call Site B's WEB API methods, this is done by using a HttpClient:

        var handler = new HttpClientHandler
        {
            UseDefaultCredentials = true,
            PreAuthenticate = true
        };
        HttpClient = new HttpClient(handler);
        HttpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));

I keep getting a Unauthorized Http 401 when site A Web API calls site B's WEB API . If I turn on Anonymous Authentication on Site B , it works fine.

If Site A is started outside IIS as an Console App, it also works very fine, because Site A is running in my user Context.

My theory is that it is IIS that throws the 401, and not site B itself.

Is there anything I need to do with the way that Site B is configured on the IIS to allow the API calls from site A?. My experience is that it doesn't matter what happens inside site B, the API call from site A is blocked before that point.

Thanks in advance:-)

Answer 1

I quitted - and jumped to CORS instead - and IIS CORS Module, and got it working very nicely.

IIS CORS Module has the abillity to handle CORS preflight request without colliding with Windows Authentication, and can easily be configured in web.config.