I’ve noticed that my post about Windows Authentication in an AngularJS application has gotten a lot of attention.
With the new HttpClient introduced in Angular 4.3.1, I think it’s a good moment to write a little update.
I’m following the same setup as the previous post:
- Angular project
- Web Api project
- Windows Authentication
Let’s get started.
Web Api
Little has changed for the Web Api part. The short version is:
- application.config
<authentication><anonymousAuthentication enabled="true" userName="" /><basicAuthentication enabled="false" /><clientCertificateMappingAuthentication enabled="false" /><digestAuthentication enabled="false" /><iisClientCertificateMappingAuthentication enabled="false"></iisClientCertificateMappingAuthentication><windowsAuthentication enabled="true"><providers><add value="Negotiate" /><add value="NTLM" /></providers></windowsAuthentication></authentication>
- Web API
- Add CORS
- Configure CORS
var cors = new EnableCorsAttribute("http://localhost:30033", "*", "*") { SupportsCredentials = true }; - Configure for json instead of XML
config.Formatters.JsonFormatter.SupportedMediaTypes.Add(new MediaTypeHeaderValue("text/html")); - Web.config settings
<authentication mode="Windows"/><authorization> <allow users="?"/></authorization>
You can find the in-detail version here.
Some points of interest in the Web API setup:
- In the CORS configuration we need to set which url’s are can contact our api. I’m developing an angular project with the angular-cli. The default is http://localhost:4200
var cors = new EnableCorsAttribute("http://localhost:30033,http://localhost:4200", "*", "*") { SupportsCredentials = true };- I’ve noticed that while setting up a project, as described in my previous post, works as expected if you start from scratch. Starting from the github repo of my sample, sometimes you keep getting a 401 unauthorized on the post request.
If that’s the case, you can easily solve this by selecting the web api project in visual studio and open up the properties. Make sure to set Anonymous Authentication to Enabled.
Setting up our Angular application
I’m using the angular-cli. If you don’t know how to use it, check out their getting started information before continuing.
After setting up the application, we include the new HttpClientModule in the app.module:
import { HttpClientModule } from '@angular/common/http';@NgModule({ declarations: [AppComponent ], imports: [BrowserModule,HttpClientModule ], providers: [ ], bootstrap: [AppComponent]})export class AppModule { }Note: take special note of the fact that I’m using the new http import from @angular/common/http and not the old(er) one from @angular/http which still exists and works as before. I want to make use of newer functionality so I’m going for the new http implementation.
Next, add 2 services to the application.
getUser(): Observable<string> {console.log('Calling getUser');let serviceUrl: string = `${environment.serviceBaseUrl}auth/getuser`;return this.http.get(serviceUrl, {responseType: 'text'}) .map((rslt: string) =>{return rslt; }); } save(data: models.IPostDataModel): Observable<string> {console.log('Calling getUser');let serviceUrl: string = `${environment.serviceBaseUrl}data/save`;return this.http.post(serviceUrl, data, {responseType: 'text'}) .map((rslt: string) => {return rslt; }); }Note: the new http client uses json by default. And tries to parse what is returned by a request as json. In our sample web api we return a string, so we need to specify another responseType. Which in our case will be text. More about this can be found here.
Import and provide those services in the app module :
import * as svcs from './services/';providers: [svcs.AuthenticationServiceService,svcs.DataServiceService],
Create the necessary data model for our server side PostData object.
export interface IPostDataModel {Id: number;Name: string;IsTrue: boolean;CreatedOn: Date;}export class PostDataModel implements IPostDataModel {public Id: number;public Name: string;public IsTrue: boolean;public CreatedOn: Date;constructor(obj?: IPostDataModel) {if (obj != null) {Object.assign(this, obj);}}}
I’m using the AppComponent for demonstrating the windows authentication by adding 2 buttons to it.
<div style="text-align:center"> <div class="row"><div class="col-lg-12"><button type="button" (click)="testAuthentication()">Authentication</button><pre style="border:solid 1px;min-height:21px;" [ngClass]="[authBack]">{{authRslt}}</pre></div><div class="col-lg-12"><button type="button" (click)="testPostData()">Post Data</button><pre style="border:solid 1px;min-height:21px;" [ngClass]="[postBack]">{{postRslt}}</pre></div> </div></div>And of course the functions that will be executed when clicking the buttons.
testAuthentication(): void {this.authSvc.getUser() .subscribe(r => {this.authRslt = r; this.authBack = 'success';},e => {console.log(e); this.authBack = 'error';} ); } testPostData(): void {this.dataSvc.save(new models.PostDataModel({Id: 1, Name: 'DeBiese', IsTrue: false, CreatedOn: new Date()})) .subscribe(r => {this.postRslt = r; this.postBack = 'success';},e => {console.log(e); this.postBack = 'error';} ); }HttpInterceptor
In the new http client module, intercepting a request and/or response is very easy. Writing an interceptor is like writing an angular service that implements the HttpInterceptor interface.
An example of an interceptor is the following:
import { Injectable } from '@angular/core';import { HttpRequest, HttpHandler, HttpInterceptor, HttpEvent} from '@angular/common/http';import { Observable } from 'rxjs/Observable';@Injectable()export class WinAuthInterceptor implements HttpInterceptor{ constructor(){} intercept(req: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>> {return next.handle(req); }}This interceptor is doing nothing now. It intercepts a request and passes it on without change.
In our case, we want to make sure that every request adds the current user’s windows credentials. The intercept method changes to this:
intercept(req: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>> {req = req.clone({ withCredentials: true});return next.handle(req); }The request (response) object needs to be immutable, so we need to clone the original request before we return it. We set the withCredentials parameter to true so that every outgoing request adds those credentials.
Lastly, we need to make sure that this interceptor is being used. So we need to register it in the app module.
providers: [{ provide: HTTP_INTERCEPTORS, useClass: int.WinAuthInterceptor, multi: true},svcs.AuthenticationServiceService,svcs.DataServiceService ],Testing the application
Let’s fire up both the Web API and the angular application:
After clicking the buttons:
Both requests are successful, meaning the windows authentication is working the way we want it to work.
Conclusion
Using windows authentication with the new HttpClientModule in Angular 4.3.1 (or higher) is fairly easy. Just write an interceptor and make sure it is being used by providing it in your app module.
I hope this post provides you with enough information to set this up yourself.
The full code base of this test project can be found on github.
Feel free to comment below!
Ruben Biesemans
Analyst Developer @ Spikes
Winc Ad
Thanks Ruben, this proved to be very usefull! 🙂
LikeLiked by 1 person
Did you ever try this using the Owin CORS libraries and middleware?
LikeLike
I have not actually. Are you experiencing any issues in that approach?
LikeLike
with the new HttpClient, you probably can avoid using .map() altogether:
return this.http.get(serviceUrl, {responseType: ‘text’});
LikeLiked by 1 person
Well yes, I know it can be avoided. I actually had to add the “{responseType: ‘text’}” to avoid interpreting the result as json. I just usually have a .map() in non-demo situations. Force of habit I suppose.
LikeLike
Hi I tried the demo using local IIS from vs 2015
http://localhost/ngauth/auth/getuser: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘http://localhost:4200’ is therefore not allowed access. The response had HTTP status code 404.
Any Ideas ?
LikeLike
The 404 you get indicates that your url is not correct. Try removing the “[Authorize]” attribute on the WinAuthController and see if you can access the url that way.
LikeLike
thanks, sorted it out…..
LikeLike
Hi Rubens,
this works great for passing credentials back to a web api (single hop)
but if i want to do two hops (to a WCF service from that service) , then it needs to do kerberos instead of NTLM (it negotiates then drops back to NTLM) . Any idea of how to make this happen ? (been struggling for days) thanks
LikeLiked by 1 person
Hi Sean,
I have no idea actually.
Why are you doing the 2 hops? What’s the gain of calling an api only to have it call a wcf service?
This is a post about using windows credentials which I would only use for an intranet web application. Can you not expose a new endpoint on the wcf service and call that directly? (Haven’t tried this either, to be honest)
LikeLike
Were you able to solve this ?
LikeLike
In the points of interests, where you talk about enabling Anonymous authentication, I had to do it to make the posts work on Chrome (Edge is fine). Any further info on this? Are you suggesting to leave it like this during development?
LikeLike
The anonymous authentication is necessary for successful OPTIONS requests as they do not have to pass authentication information. I have noticed the Edge behaviour, but that’s not the “standard” behaviour.
If you want this to work in chrome (or firefox, …), you’ll have to enable anonymous authentication, even in production…
LikeLike
Thnk you, when I tested the code in VS It is OK, but when i deployed it in IIS I have the error “Status Code:400 Bad Request”
LikeLike
When you get an http 400, I suspect something is amiss with your IIS configuration. Try enabling logs to find the exact issue for getting the http 400.
LikeLike
Getting 401 after deploying to IIS.
LikeLike
Check your IIS settings of the web api. Did you enable both Anonymous and Windows Authentication? (Sites > API > IIS > Authentication)
If you don’t see the Windows Authentication option, you have to turn on the correct Windows Feature (https://goo.gl/TUFJGL).
LikeLike
When i enabled Anonymous along with windows, i am getting “ISUR/ Application pool identity” as the user identity. With anonymous disabled and windows authentication enabled, I am getting 401.
LikeLike
I have tried GET and PATCH. It is working without allowing anonymous authentication. However, it seems that PUT is not working and I have tried enabling anonymous authentication, Have you tried with PUT?
LikeLike
Wops. I meant POST and GET.
LikeLike
The GET method never sends an OPTIONS request, so for GET only, anonymous authentication isn’t required.
The POST method can in some cases (When content type is: text/plain, application/x-www-form-urlencoded or multipart/form-data) be used without it sending out an options request. Again, no need for anonymous authentication in that case.
I’m guessing there’s an issue with your configuration of the anonymous authentication.
LikeLike
Hi Ruben,
Do you know a post/article/tutorial with the same functionality but using .NET Core. I am struggling to do this for days and it does not work
LikeLike
Hi Ruben,
How do you perform logout facility? I mean how would I be able to force the user to re-enter his credentials by showing Browser login popup? This to me proved to be an extremely tough task to achieve. In my case the user gets prompted the first time and then for the rest of requests even if I clear the local storage and run something like document.execCommand(‘ClearAuthenticationCache’, false) in Internet Explorer I still don’t manage to get the login page back. This proved to be the case for all browsers including Internet Explorer. How can you logout and show the login page to the user again?
LikeLike
Hi,
I haven’t given much thought to a logout functionality. I would implement windows authentication only in an intranet environment. Not for a public facing website. And as such, I wouldn’t even want to get the login prompt.
Be that as it may, I searched around a bit, and found something that might be usefull in working towards a solution. Beware: I’m providing some information based on assumptions, I have not tested the following myself.
Given the information here: https://en.wikipedia.org/wiki/Basic_access_authentication a possible solution would be to have your server return a 401 with WWW-Authenticate field.
I see 2 options (there can be other and/or better ones):
1. Keep track of users on your web api (by eg using a custom actionfilterattribute on your controllers/methods).
A first time a user makes a request, you return the 401. You can have a caching mechanism to retain the user x-amount of time and/or a logout method in your api.
2. Implement a logout on your client application. Keep track in your application if the user is in the logged in/logged out status. Send your first request to your web api without addding the credentials to the header. This means that you should find a way for the interceptor not to work on that first request. Easiest way to accomplish this is by starting the app on a login page, clicking the login button sends a request without using the interceptor and you’ll get prompted.
I’m not sure if this helps. If you do try one of those, please let me know how you solved it. I might just add the solution to the blogpost and example code.
LikeLike
Hi Ruben, Is Angular 5 the way to go ? with Angular Material ? to create Intranet ?
LikeLike
I would say that it’s definitely an option.
LikeLike
Hi Ruben,
Thanks for this clear post.
I was wondering if suites my need as its as follows.
Angular 6 Intranet application, WebApi hosted on different machine.
first I retrieve the username of the logged in user by calling an auth controller in my webapp in visual studio containing my ngApp.
controller action:
[HttpGet]
public string Authorize()
{
return User.Identities.SingleOrDefault().Name;
}
then I check via my webapi, if the logged in user exists in my users table,
if yes, I set a global var isLoggedIn to true.
in my route guard I check this boolean isLoggedIn.
but the check in my guard executes between the first request, and its response. what means isLoggedIn is never true.
I was wondering if this post a problem solver is for my case.. as Im struggeling with this problem for 1 whole day now…
I hope you have time to come back to me on this big question.
thanks in advance and sorry for the rushy structure of my post.
LikeLike
Hi Ahmad,
I would add the check for isLoggedIn in my clientside authentication service.
After you retrieve the user name, you start the check if the user exists in your database.
Do this like described here: https://gist.github.com/DeBiese/6a0ff6668ab3324ef29aef2873932e9a
A guard can return a boolean or an observable, so have your guard check the same method in the authentication service and you should be set.
LikeLike
Thanks very much, it worked!
LikeLike
Thank you for this tutorial. Worked on the first try and was REALLY simple to implement. I just can’t thank you enough.
LikeLike
Hi,
Thank you for your post 🙂
I have some question : thinks to the API will we get the Active Directory ?
And i don’t know why but for the import of observable in the 2 services i have an error “the module’ ……/node_modules/rxjs/observable’ doesn’t have exported member”
Moreover, in the same file “the property ‘map’ doesn’t exist on ‘Observable’ type”.
I expect you will find some time to help me.
Thank you 🙂
LikeLike
i have also :
Failed to compile.
./src/app/services/authentication.service.ts
Module not found: Error: Can’t resolve ‘rxjs/add/operator/map’ in ‘C:\Users\Soleyne.Nero\Desktop\Project\intranetApplication\src\app\services’
LikeLike
Same as my previous answer. There are some breaking changes in RxJS6.
LikeLike
I’m not sure I’m following your first question.
As to the errors in the services. Which version of Angular are you using? If you are at Angular 6, you’ll be using RxJS6 which has some noteable/breaking changes to previous versions.
More info on the changes can be found here: https://github.com/ReactiveX/rxjs/blob/master/CHANGELOG.md
LikeLike
Hi,
Think you for your response but I don’t found the solution for the .map() problem…
I see in the new that i have to change : import ‘rxjs/add/operator/map’ by import { map } from ‘rxjs/operators’.
But my property map always say the message error the property’map’ doesn’t exist on the type ‘Observable’.
Do i have to change observable by anither thing ?
LikeLike
Apart from changing the import, also the usage has changed.
Before, you did: myObservable.map(…)
Now you have to do: myObservable.pipe(map(…))
Another helpfull url: https://www.academind.com/learn/javascript/rxjs-6-what-changed/
LikeLike
Hi,
If I want to support multiple domain user login (which is not the same domain as the WebAPI Server’s Domain).
How to do?
E.g. The WebAPI Server is under Domain1. And want to authenticate the user Domain2\peter
LikeLike
I haven’t done anything like that myself so I’m not entirely sure. But you might want to look into setting up a trust between the 2 domains and allow users from domain2 to authenticate in domain1.
LikeLike
Hey Ruben,
Thanks for the post, after implementing this I’m running into this issue “Failed to load http://localhost:63854/api/Login: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘http://localhost:52871’ is therefore not allowed access. The response had HTTP status code 500.”
When I try with [AllowAnonymous] on the controller. I’m able to access my action method. But when i try [Authorize] am getting 500 error.
I have enabled CORS to allow requests from any Origin.
LikeLike
HTTP 500 indicates an internal server error. Try to debug your login method on your api. You’ll get the CORS message for every error that happens (not only actual CORS errors).
LikeLike
Yeah, I made a mistake, corrected it.
Thanks
LikeLiked by 1 person
Hi Ruben ,
I am developing an application in angular 6 for my company which will be used in intranet and hosted on a server. I want to fetch the logged in user details (client machine windows logged in user on network) in my angular application when user access it and show it on the home page as logged in user. Can your post solve this problem?
Where are you hosting the Web API ? On client machine where user is accessing the angular app or to some server machine?
If you are hosting it on client machine then it is not going to solve my problem as I cannot force each client to host the Web Api. If on server then how it is going to tell us the logged in user details on the client machine?
Please provide your valuable input.
Thanks,
Sandeep Kumar
LikeLike
The API will be hosted on any server within your intranet, not on a client machine. The setup I discuss in this post will certainly enable you to show the username of the logged in user.
How will this work? In the interceptor you tell your angular application to send the credentials to the server by setting the “withCredentials” to true. The API can access the “User” object to get the actual name of the user. (User.Identity.Name)
LikeLike
Many thanks Ruben, this article has been of very help to me. Keep up the good work!
LikeLike
How to do with nodejs as backend??
LikeLike
I haven’t tried that to be honest, so I don’t know.
You might want to look into node-sspi (https://www.npmjs.com/package/node-sspi).
LikeLike
Hi ruben ive been struggling for days to make this thing work .. i dont know what im doing wrong … so this is the setup .. when i click the authenticate button im having a 404 on http://myserver/myapi/auth/getuser …i already removed the Authorize in winauthcontroller pleae help me..
LikeLike
Can you provide some kind of code snippet (either in a response or by creating a snippit on github)? It’s difficult to help without the proper information.
The fact that you are getting a 404 indicates that you’re not using a correct url (404 = not found). What’s the setup on your server?
LikeLike
Hi Ruben,
Thanks for your article. In it you do a authentication step, what is the response for it? A session?
This is the first time that implement NTLM, I have a Navision REST service published with NTLM Authentication. How can I do GET to an endpoint that requires to be authenticated (user and password)?
What would be the first steps?
With Postman I configure the NTLM Authentication with User Password and Domain and work perfectly
Thanks for your time
LikeLike
i am trying to implement the same where i need to do windows authentication for the angular app .
So i have enable windows authentication at IIS level.
As i have setup both angular app and web api on the same IIS server .
I have enable windows authentication for the both the application (Angular app and Web API).
But when i am trying to call web API from angular app so its showing 401 error means unauthorized access .
Please let me know what can be the cause for the same,
Thanks
Chintan Rathod
LikeLike
You need to allow anonymous access on your API in general (not on the controllers/end points) because OPTIONS requests will be sent and they don’t pass authentication information.
LikeLike
after ng serve they have me the error,,,
Failed to load resource: the server responded with a status of 404 (Not Found)
LikeLike
on httppost: I keep getting this error “Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:59366/api/todo/PostTodoItem. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing)” httpget works fine. I have these setting “windowsAuthentication”: true, and“anonymousAuthentication”: true,
LikeLike
Can you please tell me how to pass the windows credentials from angular to web api
LikeLike
It’s in the article. You need an interceptor to add ‘withCredentials: true’ to the request.
LikeLike
I’ve implemented this, but when I click on the Authenticate button, a prompt appears asking me to enter my username and password. Is this the expected behaviour? Or might I have done something incorrectly since this is windows authentication, shouldn’t Angular should pass my windows identity to the webapi service?
LikeLike
You still need to allow anonymous access to your api to handle OPTION requests.
LikeLike
Hi Ruben,
I’ve opened the solution in VS2019, and I have 2 errors in typescript, I do not use 1.8 becaus is not available
I use the version 2.8 or 3.3
I’ve got these errors:
self.authenticatingPromise
return defer.promise
The error is in the Angular project, the web api project compile well
What do I have to do to solve this error ?
Best Regards
Vittorio
LikeLike
Hey, is it possible to get the user information (nt user name) in the angular 6 app itself. I am using angular 6 (for the web interface) and flask (web api). So, I don’t really know how to get the user info in flask. It would be enough for me to get the info in angular 6 itself. Your help will be very much appreciated. Thanks.
LikeLike
Thanks Ruben, This article help me a lot.
LikeLike