I have two WCF WebHttpBinding-bound self-hosted services. One is set to WebHttpSecurityMode.TransportCredentialOnly and HttpClientCredentialType.Windows. The other is set to None and None.
This service is serving the exactly the intended authentication prompt behavior on Chrome and IE, with correct content types and content. Testing on localhost and remotely (not on a domain). In IE, the default settings for integrated authentication send my credentials immediately to the authenticated service. In Chrome, the default settings prompt me for my windows authentication credentials.
But in Firefox I get no such prompt - just an error in Firebug of 401 Unauthorized and a blank page otherwise. I assume iOS has the same 401 Unauthorized problem, although the debugger console doesn't show any errors - I just get a blank page.
I don't know how relevant the WCF WebHttpBinding is versus a standard IIS-hosted website, but all the other googles I find are about someone trying to STOP the Windows Auth prompt in favor of Integrated Security mode in non-IE browsers. I kind of have the opposite problem - it's not showing up for me.
Is there something nuanced about the webservice response that Firefox and Safari are sensitive to that Chrome and IE are not sensitive to?
I'm testing on Windows 8 with IE 10 and the latest releases of the other browsers at the time of writing.
Thanks!
If I set it to HttpClientCredentialType.NTLM then all browsers work. But as I understand it, NTLM disallows the more secure Kerberos domain credentials (if they're available). I don't want to force a less-secure option!
Kerberos works well with IE and since Chrome shares stuff with IE, it works for Chrome too. For Firefox, you have to enable it. See here. Safari on Mac OS should work but not sure about other OS'.
Related
I created a Vaadin (8.2.0) web app in Netbeans and uploaded it on a Glassfish (4.1) server. I can access the app's home page in Edge and Firefox, however in Chrome I get this message:
Cookies disabled
This application requires cookies to function. Please
enable cookies in your browser and click here or press ESC to try
again.
I double checked my chrome settings and know that cookies are allowed. I even added the server specifically in the allowed list.
What do think is missing?
As Artur Signell mentioned in the comments, the solution was to simply clear all the cached cookies in the Chrome web browser. After that, the app just worked fine and I didn't get that error.
I was having the same problem. I noticed that switching to HTTPS lead to these errors not occurring. The same site would throw this error when I accessed it via HTTP, but if I went to the site via HTTPS, then the problem did not occur.
I have a mvc4 web app that sits behind ADFS 2.0 authentication, it's configured using the web.config file. The application can be visited by going directly to a URL or as an iframe inside of CRM 2013.
The application works in all (tested) browsers when visiting the URL directly, both redirection to login form and handing the user back to the web app with the proper information in the ClaimsIdentity.
However, when visiting the app as an iframe inside CRM2013, internet explorer goes into a continous login loop. You are asked to provide the credentials (which are the same as for logging in to CRM) and when you click ok you get redirected back to the same login page again, to my knowledge the app never receives the hand off.
In Safari, Chrome, Firefox, and Opera the users are able to log into the application inside of CRM as well as outside without any problems (I'd even go as far as saying that it works better than expected for these browsers).
Does anyone have any idea of what I can try or what the problem could be for IE?
EDIT 1
I'm thinking it has to do with some security setting and am playing around with the settings in IE. Unchecking this box stops the login form from showing in IE at all and I get an empty page instead.
Is the iFrame on the same (sub)domain as the site inside? You can use Fiddler to view your redirect flow, are the cookies added as expected?
I've seen cookies that are overridden by the iFrame host, in that case you lose the auth cookie. Browsers react differently on same domain cookies.
Another problem might be X-Frame-Options, do you see any warning in the F12 console of IE?
While debugging why my extension doesn't work in Safari (but does for other browsers), noticed that I can send an arbitrary made up HTTP header with XmlHttpRequest in a Safari toolbar extension. But try to do same with header named "Cookie" with same content as before, it doesn't get sent.
So does Safari restrict sending back cookies with requests or you need to follow an alternate process to do so? Seems kind of lame since this blocks functionality of apps that require session state persistence for example. If there's an alternate process, Apple made it harder to maintain session state in extensions (extra work in adapting a web app or other browser extension).
I tested using Safari 5.1.7 on Mac OS X 10.7.5 with Charles proxy.
Just figured I should post the solution that worked for me, that I commented in my own question earlier, for easier viewing by others with similar problem:
Turns out for Safari extension, what works for me is to set the browser to not block any cookies and website data. So users would have to do that to use the extension. No code changes needed. But that's not cool though.
The particular step is Safari > Preferences > Privacy > Cookies and website data: Always allow (at least under Safari 10 on Mac OS Yosemite). Although one could try "Allow from websites I visit" to see if that more restrictive option will work or not.
I have apache authentication set up on a wordpress multi site instance, it works fine in firefox and chrome, you type in the username/pass once and then you can happily visit any page on the site. Unfortunately this is not the behavior in safari. Every time you go to another page, you must re-enter your credentials.
Is there some way I can look at the security exceptions for safari and set it to always trust the certificate or find some other setting to not ask for authentication on each page?
I have a problem with Google Chrome 16 on one of the sites I'm supporting that I can't fix couple a days now.
The site is using forms authentication. There is a hyperlink that when clicked is calling a web handler, that is supposed to go fetch a PDF file. Everything is working great in all browsers except in Google Chrome.
When I click that link in Chrome it gives me 401 - Unauthorized: Access is denied due to invalid credentials.. I've checked the request headers and the only difference I can see is that the authentication cookie is not present in the request made by Chrome 16. The strange thing is that everything is working great on the local machine, but once uploaded to the production server chrome is not sending that cookie.
I've implemented IReadOnlySessionState interface in the web handler, as suggested here and there in forums, but this didn't solve the issue.
Does any of you have an idea why chrome is acting like that?
To check your cookie acceptance:
Click the wrench icon (Top Right)
Click "Options"
Click "Under the Hood"
Click "Content Settings"
Make sure that "Block third-party cookies from being set" isn't
checked.
That was what fixed the issue on the site I was on. You can also see a special icon in the address bar on the right when it blocks a cookie.
For more precision there is a "Manage Exceptions" button under cookies in the Content Settings. You can use that to specifically allow the site in question.