We have an application in Angular 4 front-end and .NET Core 1.0 Services. WEB API Request is making from Angular using http.request with JWT bearer token. This is comparatively a big application and all HTTP requests are routed through a common service in Angular. It is working in Chrome and FF in all environment. But it throws unauthorized error intermittently in the production environment for some users whenever they use IE11. It is working in all browser for the sites those are configured in development environment (Windows 7, 64 bit), DEV Test Environment (Windows Server 2008 R2, 64-bit, same domain as dev), QA Environment (Windows Server 2008 R2, 64-bit, same domain as dev), Test Installer (Windows Server 2008 R2, 64-bit, same domain as production), Mock Sites (Windows Server 2008 R2, 64-bit, same domain as production). But it throws an intermittent error in pre-production and production (Windows Server 2008 R2, 64 bit) in IE11 for some users. Front-end site is configured for anonymous and windows authentication. Webservice is configured with anonymous to use bearer token. Web API startup has authorization policy like below var policy = new AuthorizationPolicyBuilder() .RequireAuthenticatedUser().Build();
When we analyzed the call in Fiddler, we found that the request those are throwing 401 has authorization with Negotiate instead of bearer token. While we start the site, it comes without any issue and works for some time but starts sending authorization: negotiate after a couple of requests. I added some 100ms delay in between for all HTTP calls in Angular, placed no-cache in the WEB API response header, nothing could solve the issue. This issue is happening only for some users in IE11 production and pre-production environment. But they could use other environments in IE11 without any issues. Another interesting factor, pre-production is working for some users and the same user gets the issue in production and vice versa, both are in the same domain but in a different box. Production is the only one has valid SSL certificate rest of the sites (except development) have self-signed certificates. CORS is enabled in WEB API for URLs those are mentioned in the configuration file. I am looking for a help. Greatly appreciate any input
We have followed @JoshuaBarron reply and enabled anonymous access at the site level. That solved the issue. We missed to apply anonymous access at site level in production and pre-production. Unfortunately, we do not have access there to change anything.