-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ocelot not working with a Windows Authentication #657
Comments
@soumaz please can you debug and work out why this is. Unfortunately I do not have time to work the problem out at the moment. |
@soumaz did you try setting the authPersistSingleRequest to True in your services windowsAuth settings?
So it all depends on how connections are being kept open or not between ocelot and the service ( didn't check). If they are kept open and you are on the defaults, then it makes sense that there is no reauth for the second user and setting authPersistSingleRequest would solve that. |
I'm facing the same issue. I can confirm that it works with "authPersistSingleRequest=True" |
I, I got the same issue and the "authPersistSingleRequest=True" also solved my problem |
Can you please show how you have Ocelot configured to get NTLM working with anonymous gateway and windows auth protected services. I keep getting login prompts repeatedly and then a failure of not authenticated. Please show pertaining startup.cs and configuration file with AuthenticationOptions, httpHandlerOptions, etc. Can't get Ocelot to work for us without this. |
Good afternoon, I have 2 site in IIS. 1- ocelot api gateway. 2-i microservices. When authorizing directly through site 2, I easily go to it and log in. When using ocelot, the authorization window constantly creeps out and is not authorized. the above tips did not help |
Hi,
Make the Authentication for Microservices as Windows and Ocelot as
anonymous. Let me know if this works for you.
…On Tue, Oct 29, 2019 at 11:02 AM NoSkillNoLuck ***@***.***> wrote:
Good afternoon, I have 2 site in IIS. 1- ocelot api gateway. 2-i
microservices.
When authorizing directly through site 2, I easily go to it and log in.
When using ocelot, the authorization window constantly creeps out and is
not authorized.
the above tips did not help
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#657?email_source=notifications&email_token=ACBC6HAT6IN6UHWBUJOIBTTQQ7DILA5CNFSM4F23LMP2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOECPJIEI#issuecomment-547263505>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACBC6HCMXJDAHZ2NOCQD4BLQQ7DILANCNFSM4F23LMPQ>
.
--
*Thanks & Regards,*
Souvik Mazumdar
Mobile: +91-8861955677
|
Hello everybody,
I guess setting UseDefaultCredentials=true is required to pass the kerberos tokens to the downstream service. It was also necessary to call ChallengeAsync to generate the WWW-authenticate header required for the Windows Authentication flow (see: #1144) By the way setting authPersistSingleRequest alone, didn't solve my problem. It would be great if Windows Authentication could be integrated into Ocelot, it's still used by a lot of people out there. Thanks in advance. |
@ArminNaish Can you provide a basic working demo. I'm struggling to get ocelot working with windows authentication. I keep getting the windows signin prompt. |
Please use version 15.0.6. Versions after that don't work well with Windows
Authentication.
Thanks & Regards
…On Tue 18 Aug, 2020, 6:21 AM Daudi Husbands, ***@***.***> wrote:
@ArminNaish <https://github.com/ArminNaish> Can you provide a basic
working demo. I'm struggling to get ocelot working with windows
authentication. I keep getting the windows signin prompt.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#657 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACBC6HH3ITV2G64MCBGEQQ3SBHGALANCNFSM4F23LMPQ>
.
|
Hello @soumaz, I'm also having trouble with Windows Authentication. My setup is as following:
When I hit one of the endpoints (/api/test or /api/hello) on the API itself from my workstation (so neither server X or server Y) with Postman setting Authentication to NTLM it all works fine (succesful requests, passes Authorize attribute, I see my Windows Identity name being returned). I have set up Fiddler as a reverse proxy on server Y which forwards requests to the Web API (project 2). I've done this so I can see all the requests coming in to the Web API. When I try to hit the endpoints through the ocelot gateway however, I receive a status 400 response (no details), both in the Angular web app and when using Postman (see Fiddler screenshots below). I've tried this both with Windows Authentication enabled in IIS on server X (following this recommendation on authPersistSingleRequest link ) and without, neither seems to work. Any recommendations and help would be greatly appreciated! This is the link to my repo. You would need to modify ocelot.test.json and \ClientApp\src\app\api-tester\api-tester.component.ts to set the correct gateway url Project 1. is AngularWithOcelot |
Hi @ArminNaish, I'm wondering if this is truly the solution to the problem, in the light of this comment by Microsoft. Wouldn't that mean that credentials are set to the identity of the account under which Ocelot is running? Regards, James |
Hi, |
I created a PR for this: #1521 |
Did anyone actually manage to make this work? |
Thank you for PR creation! Included in Dec'23 release. |
Indeed, James, we will ensure to double-check this during the testing phase of the feature delivery. We anticipate that the delivery may be complex, yet the issue has been given priority in the milestone. The upcoming release will follow the 23.3 Hotfixes. |
Expected Behavior / New Feature
Ocelot should be working with Windows Authentication
Actual Behavior / Motivation for New Feature
Ocelot should be working with Windows Authentication
Steps to Reproduce the Problem
My gateway is a virtual directory hosted under default site with anonymous access.
And my services are hosted under another virtual directory with windows authentication enabled.
Note: - in IE options settings for "Enable Integrated windows authentication is enabled" from user machine. This is required otherwise the domain.com will not carry the identity.
Default website
----> Gateway = anonymous
-----> services = windows authentication.
With this from user machine when we call with servername.domain.com/gateway/ to get the user name from services, we get the user name for first user.
When the same url is hit by another user he gets the username of the first user, whereas the should have got is his own user name.
what we see is that persist-auth in headers is set to true for communication between gateway and services.
If we enable
----> Gateway = windows authentication
-----> services = windows authentication/anonymous
Authentication does not seem to work even if we add/remove testkey= "Windows".
Please assist on the same.
Specifications
The text was updated successfully, but these errors were encountered: