Answered by:
UAG stripping authorization header

Question
-
I published a RESTful AJAX app that uses a custom authorization scheme and enabled SSO. The login page is an HTML form that grabs credentials and puts them into a custom authorization HTTP header and sends the request back to the server - the form does not POST with form data in the body of the HTTP request. I can get UAG to inject credentials into the login form and do an autosubmit, but when the form is submitted and an AJAX request is sent with the user credentials, UAG strips out the Authorization header and authentication fails. If I use AppWrap to add an Authorization header with the right value (value is static), UAG still strips the header. I've tried using both "HTML form" and "Both" in the application authentication tab but the header still gets stripped, even though trace gives me different reasons why. The only thing I need to finish this app off is to preserve or re-inject this header in the HTTP traffic - any ideas on how to do this?
Here are the authentication headers used for initial login:
Authorization: my_authentication_scheme profile="my_authentication_profile"
X-custom-auth: username=my_username, password=my_password
When the app is published using "Both" for authentication, trace gives me the following message:
Info:Authorization header(s) will be removed as a 401 rule exists for this application (Cortext). (PFC=000000000D1F2BE8)
When I use "HTML form" for authentication, trace says:
Info:Client Authorization header was detected with SSO congiguration. Discard the header
Any ideas?
- Edited by Bryan2012 Monday, June 11, 2012 7:42 PM
Monday, June 11, 2012 7:39 PM
Answers
-
Check out the KeepClientAuthHeader registry key detailed here: http://technet.microsoft.com/en-us/library/ee809087.aspx
Cheers
JJ
Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
- Proposed as answer by Ran [MSFT] Saturday, June 16, 2012 10:17 AM
- Marked as answer by Bryan2012 Saturday, June 16, 2012 5:16 PM
Tuesday, June 12, 2012 8:16 PM
All replies
-
Check out the KeepClientAuthHeader registry key detailed here: http://technet.microsoft.com/en-us/library/ee809087.aspx
Cheers
JJ
Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
- Proposed as answer by Ran [MSFT] Saturday, June 16, 2012 10:17 AM
- Marked as answer by Bryan2012 Saturday, June 16, 2012 5:16 PM
Tuesday, June 12, 2012 8:16 PM -
Thanks, that did the trick! I didn't know that was part of Update 1 but it is a very welcome change.
It would be nice if there was a way to enable the setting on an application by application basis instead of globally, but this certainly works for now.
- Edited by Bryan2012 Wednesday, June 13, 2012 5:07 PM
Wednesday, June 13, 2012 5:06 PM