Windows Authentication and Angular 7 application

Question

I have developed intranet application

Backend: ASP.NET WEB API-2 (All controllers have Authorize attribute), Frontend: Angular 7 (after prod build I moved generated scripts to my backend project):

....
  <app-root> 
      <div id="preloader"></div>
  </app-root>


  <script type="text/javascript" src="~/Scripts/SPA/runtime.26209474bfa8dc87a77c.js"></script>
  <script type="text/javascript" src="~/Scripts/SPA/es2015-polyfills.bda95d5896422d031328.js" nomodule></script>
  <script type="text/javascript" src="~/Scripts/SPA/polyfills.8bbb231b43165d65d357.js"></script>
  <script type="text/javascript" src="~/Scripts/SPA/main.122a2bd84f391ab8df1d.js"></script>
</body>

The problem is am getting prompted to enter my username/password after deployment to server.If user enters credentials it works perfectly, but I want the application to grab logged user automaticaly.

this is my web.config

<authentication mode="Windows" />
   <authorization>
     <deny users="?" />
   </authorization>

this is my interceptor in angular

import { Injectable } from '@angular/core';
import { HttpInterceptor, HttpRequest, HttpHandler, HttpEvent } from '@angular/common/http';
import { Observable } from 'rxjs';

@Injectable()
export class CredentialsInterceptor implements HttpInterceptor {
    intercept(request: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>> {
        request = request.clone({
            withCredentials: true
        });

        return next.handle(request);
    }
}

in Visual Studio 2019 project settings

Anonymous Authentication:Enabled

Windows Authentication:Enabled

Managed Pipeline Mode: Integrated

Global.asax

protected void Application_BeginRequest(Object sender, EventArgs e)
       {
           //Preflight request comes with HttpMethod OPTIONS
           //The following line solves the error message
           //HttpContext.Current.Response.AddHeader("Access-Control-Allow-Origin", "http://localhost:4202");
           HttpContext.Current.Response.AddHeader("Access-Control-Allow-Credentials", "true");
           if (HttpContext.Current.Request.HttpMethod == "OPTIONS")
           {
               HttpContext.Current.Response.AddHeader("Cache-Control", "no-cache");
               HttpContext.Current.Response.AddHeader("Access-Control-Allow-Methods", "GET, POST");
               HttpContext.Current.Response.AddHeader("Access-Control-Allow-Headers", "Content-Type, Accept, Pragma, Cache-Control, Authorization");
               HttpContext.Current.Response.End();
           }
       }

Answer 1

The fact that everything works when you type in your credentials means that this is a client-side problem, not server-side. The browser is not automatically sending your credentials.

Chrome and IE will automatically send the credentials of the currently-logged-on user only if the site is in the list of Trusted Sites in Internet Options.

1. Open the Start menu.
2. Type in "Internet Options" and click on it.
3. Click the 'Security' tab.
4. Click on the 'Trusted Sites' icon.
5. Click the 'Sites' button.
6. Add the domain for your website to the list. You can use wildcards.

This can also be set via group policy, so the setting can be pushed to every computer in your organization. See the answer here.

Firefox uses its own setting: network.negotiate-auth.delegation-uris. I'm sure that could be set via group policy somehow too.

Answer 2

You also need to allow SupportsCredentials in cross-origin requests.

Server Side (Web API):

Set the SupportsCredentials property to true on the [EnableCors] attribute:

[EnableCors(origins: "http://exampleclient.com", headers: "*", 
methods: "*", SupportsCredentials = true)]