The Application
In short, the application surfaces data from a backend onto a web page. The client application is a Single Page Application made using AngularJS. It calls an ASP.NET Web API service located on a different domain to retrieve the data. I utilize BreezeJS on both the client application and the web service to manage this data. The client is hosted on a SharePoint Online site, and the service is hosted on IIS7.
The Error
I encounter an "Access is Denied" error when AngularJS attempts to make an XMLHttpRequest.open() call targeting this web service. However, though this seems like a simple CORS issue, it has some peculiarities which have me stumped:
Foremost, this error only occurs when using Internet Explorer 11 (or a previous version). When the application is viewed in Chrome or Firefox, it can connect and retrieve data from the service.
The web service is configured to accept the calling origin.
No network traffic is detected either by the native IE development tools or by Fiddler.
Specifically, the line: xhr.open(method, url, true); of the angular.js file throws this error.
Does anyone have any insight as to why this error occurs?
Also, if more specific details are needed I certainly can provide them. I'm not even sure where the issue might be coming from and I don't want to dump tons of irrelevant lines of code.
I think that this is due to using "localHost", i.e when attempting to access a resource in the "Local intranet" zone from an origin in the "Internet" zone.
See: Access denied in IE 10 and 11 when ajax target is localhost
This is not just a localhost issue as previously suggested. I have a production AngularJS application that is trying to POST to a public Web API 2 on a different domain. IE11, Chrome, and Firefox work without a hitch when the site is accessed externally. When accessing from a subnet that can talk directly to those servers, I get Access Denied and IE doesn't even send the request (Chrome and Firefox work flawlessly, of course. One workaround (I refuse to call this a fix) is to add the site as a Trusted Site in IE11. Even when the security settings for Internet mirror the settings for Trusted Site, I get access denied. I have to add the site on each internal IE system to gain access.
Related
Access to a web application for certain users (not all), at certain times (not always) results in the following error
In IE:
This page can’t be displayed Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in
Advanced settings and try connecting to https://SITEADDRESS again. If
this error persists, it is possible that this site uses an unsupported
protocol or cipher suite such as RC4 (link for the details), which is
not considered secure. Please contact your site administrator.
In Chrome, I get a ERR_CONNECTION_RESET
F12> Network tab shows no activity when trying to access the site.
Any ideas on what might be the issue and how to address it. The web application is built on Angularjs and is running on IIS
The issue in this case was the gateway that we were using for our VPN to Microsoft Azure. Upgraded that to Express Route and the issue went away
We've got an Angular app that uses Auth0 for SSO login. We primarily use Macs and develop and test locally using the localhost web server. Browsing the site locally using browsers on Mac works fine. We can authenticate and the subsequent redirect does the right thing. The problem is browsing with IE. We can connect to the localhost web server on OS X using the IP address. We had to edit the Windows hosts file to map the Mac's IP address to localhost due to our app using full URLs/URIs as primary keys, so that the keys match.
When I browse the site using IE11 on Parallels, login using Auth0, it looks to authenticate just fine, but afterwards, we get an error when it tries to redirect:
XMLHttpRequest for https://mindjet.auth0.com/tokeninfo? required Cross Origin Resource Sharing (CORS).
Auth0 does have a field for specifying allowed CORS origins, and I tried every conceivable URL that our app exposes, even just *. But nothing worked. In our Angular app, I've tried setting $httpProvider.defaults.useXDomain = true; That didn't work either. I'm new to the CORS concept, so any insights would be greatly appreciated. We just want to find a way to test with IE without having to deploy to a dev server.
Our main issue that we couldn't test with IE11 seems to have been resolved by updating our auth0-angular and auth0-widget libraries to the latest version. I still occasionally see warnings about CORS issues in the console, but we are able to login and get redirected to the correct part of our app.
I am developing a linkedin enabled Silverlight application. LinkedIn API calls are made through Oauth2 over REST platform. I am able to fetch authorization code,access token and make API calls while running the application as "localhost" or in local IIS. However, when I try to access the deployed application outside the environment with Public IP, I am unable to make LinkedIn API calls. While debugging with Fiddler, the trace shows that "crossdomain.xml and clientaccesspolicy.xml" not found in http://www.linkedin.com/crossdomain.xml. I am unsure why this problem occurs only when we try accessing the hosted application outside and doesn't occur while running under localhost. I have tried placing both these xml files in the root folder of IIS and also inside our application hosted folder. Looking forward for your kind suggestions/help resolving this.
Thanks,
Subbu
OK, this used to work, but it appears to have stopped working on January 1st.
We have a .NET page that is displaying some data to our internal mobile users. This page is set up with Anonymous Authentication in IIS7. (Windows Server 2008 R2 is the OS of the web server.) When accessing via our intranet, the page displays fine. When attempting to access via our Blackberries, we get the following error message:
"Error: Page cannot be displayed. Please contact your service provider for more details. (1)"
Is this an IIS error, an AT&T issue, or a Blackberry issue? My Director is on my case about it, and I'm not experienced enough in IIS to know of anything else that would cause this functionality...
You should check with your network ops team. I'm guessing that the blackberries are accessing the server from the external intranet (that's just a guess though) ... so have them double check that the domain/ip is accessible externally. That could be why you can access it from in the network.
Or if your blackberries are configured to access the network via VPN, I would double check that connectivity.
Forgot to post the resolution to this.
It turned out to be a Blackberry issue. With the latest OS, RIM combined the internal and external browsers into one browser. Said browser attempts to determine if a given site is an intranet or internet site. Even though the BES (sp?) was set up correctly, our service was still spotty. Some people could enter our intranet homepage address and get the intranet; others got the web squatter site on the internet. Since the page we were trying to access was nested fairly deeply in the directory structure, the web squatters didn't have a page with that name in their site. That's why we were getting the error shown above.
Our resolution - we created a different BES alias to point to our intranet, and rolled that out to all applicable users. Utilizing this, the browser didn't have to determine if we wanted our intranet site or the page on the internet; it correctly displayed the intranet page.
I am trying to return the Client UserName back into Silverlight by using HttpContext.Current.User.Identity.Name in the .aspx page that starts the application.
I have this hooked up to InitParams working fine passing it into silverlight with the ASP.Net Development Server but when I change to an IIS Web site it returns an empty string.
All of our users will be on the same IP subnet with different domains. This is a intranet app. I need to know who they are, preferably without authenticating, in order to load the proper interface. I do not have any Windows or Forms authentication established in the app yet.
....is it possible?
Without authentication on the server-side, I believe this is not possible. You'll have to have the ASP.NET page authenticate in order for it to write the client's username into that init param.
The test web server's process is running as the local developer, it probably appears to be working since both the client and server are running as the same user.
Suggestion:
Enable Windows authentication in IIS for that application folder that hoses the ASP.Net page. Disable anonymous. This should (in theory) be fine for the intranet. At this point I think you should be able to get Authenticated user from HTTP context. We use Thread.CurrentPrincipal.Identity.Name since we're doing this in a WCF web service.
Not all browsers support Windows authentication. IE and Chrome seem to work the best. Firefox requires you to enable this per-site (look up the "trusted-uris" settings, note that Negotiate and NTLM are separate settings). Safari and Opera as well as non-windows clients, I'm not sure any more.
To get more consistent support across browsers look into the "alternative" client HTTP in Silverlight. However, I guess this wouldn't work with setting init params in the asp page. If you could make an additional request to another ASP page (or a web service) to get the user after loading you could choose to use this other http stack. I found it supports authentication itself, regardless of the browser.