I have an Angular 5 app contained in a .NET Core project that has been deployed to IIS 10. This UI consumes a .NET Core API that has been deployed to the same IIS server but a different site and app pool.
When logging into the site, the user is prompted for domain credentials. This is desired. When the site hits the first HTTP call to the API, the user is prompted again for credentials. This is a problem and must not happen. I need the first authentication token to be carried over to the HTTP calls to the API.
I have setup IIS to handle Integrated authentication by enabling ASP.NET Impersonation on both the API and UI, however I can see that the Negotiate token is not being sent through to the API in the HTTP requests in Chrome dev tools.
In Angular I have created an HTTP Interceptor which appends the credentials to all requests. This is done with:
request = request.clone({
withCredentials: true
});
This however does not seem to fix the missing Negotiate token I expected resulting in the user still being prompted twice for credentials. How do I prevent the user from being prompted twice for credentials?
I found out that the issue was related to cross domains. When performing the whole sequence of authentication on the same domain as the hosted services, I did not experience any issue. I did not resolve the actual problem though but info regarding the solution can be found here.