Firefox NTLM Credentials to localhost

I'm trying to setup a WebAPI web service and website that will operate on our company intranet. I'm using IIS to host the webservice (A) as well as my website (B). A page on my website makes a request to the web service thusly:

var URL = 'http://MachineName:80/AWebService/api/GetGuid';
var request = new XMLHttpRequest();"GET", URL, false);
request.withCredentials = "true";
var response = request.responseText;
return response;

The WebService code looks like this:

[EnableCors(origins: "http://localhost", headers: "*", methods: "*")]
public class StoneSoupController : ApiController
    public HttpResponseMessage GetGuid()
        var indenty = this.User.Identity;
        Guid g = Guid.NewGuid();

        HttpResponseMessage msg = new HttpResponseMessage();
        msg.Content = new StringContent(g.ToString());
        msg.Headers.Add("Access-Control-Allow-Origin", "http://localhost"); //tried with and without this
        msg.Headers.Add("Access-Control-Allow-Credentials", "true"); //tried with and without this
        return msg;


If I set the Authentication mode in IIS for the web service to Anonymous Authentication then the web service returns the guid string as expected. However I need to control which users are able to access certain methods on the webservice and want to use their windows credentials to do this.

My problem is that I can't seem to make Firefox send the windows credentials. I've tried including http://localhost in network.automatic-ntlm-auth.trusted-uris in about-config in Firefox, but that doesn't seem to have any effect.

I've enabled logging in IIS and this is what it records for the request

2013-08-01 21:36:05 GET /AWebService/api/GetGuid - 80 - Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:17.0)+Gecko/20100101+Firefox/17.0 200 0 0 965

As you can see there's no user id in the transaction.

Can anyone help me with this?


browser will ask or automatically send user credentials when response header has

WWW-Authenticate NTLM

step 2:

you need to change authentication of your web api to windows and add authorize attribute to action or controller

Step 3: Firefox doesn't send credentials like IE sends. you need change firefox settings about:config set you application url to this variable network.automatic-ntlm-auth.trusted-uris

In regards to your comment to Giridhar: It might be that IIS does not have "HTTP keep-alive" enabled.

To enable HTTP Keep-Alives

  1. In IIS Manager, expand the local computer, expand the Web Sites folder, right-click the Web site, and click Properties.

  2. On the Web Site tab, in the Connections section, click the Enable HTTP Keep-Alives check box.

  3. Click Apply, and then click OK.

(From Microsoft)

Need Your Help

MS Graph API: OneDrive resource not found

onedrive microsoft-graph

I'm building a Windows service that connects to OneDrive for Business via the Graph API using this method: