3

I am developing web api by using Asp.Net WebApi (RC) and passing user credentials via http "Authorization" header. I am getting trouble on receiving "Authorization" http header on server side. I am able to receive it when testing on local machine. Even works fine when hosted on production server and accessing url by internal IP address. BUT does not work when published on public domain.

So I guess, this has something to do with IIS or ISA server.

Also, if I create 2 web sites in IIS with one published on domain and one internal (both pointing to same physical directory) then also it work on the site hosted internally but not on published (publicly) one.

So I guess it has something to do with ISA server (I am very very new to ISA server) but not sure if it can modify http header information.

Any help appreciated.

Thanks,

user1589040
  • 31
  • 1
  • 2

2 Answers2

2

I had the same problem (with latest release of the asp.net web api). I tracked it down to an ISA Server 2006 publishing rule and fixed it with the following steps:

  • go to properties of the publishing rule and set Authentication Delegation to "No delegation, but direct Authentication of the client"
  • stay in the properties dialog and go to listener -> properties -> authentication -> advanced -> check the checkbox "Allow Clientauthentication via HTTP"

That did it. After that, the authorization headers were no longer dropped.

hoetz
  • 131
  • 1
  • 5
1

You haven't really provided enough information about your environment and more specifically the ISA box itself to help troubleshoot this.

However, my first guess would be that the ISA box is stripping some of the header information. If the local version works that means most likely this is not an IIS issue.

Feel free to post more information about your setup.

Brent Pabst
  • 6,059
  • 2
  • 23
  • 36