7 Replies Latest reply on Nov 10, 2015 8:03 AM by Molly Wasserman

    Trusted Tickets from an IIS server

    Molly Wasserman

      Hello Tableau developers ,

       

      I am trying to get get Trusted Authentication working from my intranet site -  which runs on IIS (no solutions with jsp pages!).

       

      My intranet site is written MVC RAZOR and I would like to stay in that language.

       

      I made my webserver's IP address [10.99.1.48] allowed on the tableau server.  my webserver's name is rcps

       

      I have the following as my cshtml page (no worries you cannot get here formt he outside so I have not hidden anything)

       

      @{

       

       

      }

       

      <style type="text/css">

         .button {}

      </style>

       

      <script>

        $(function () {

        $("button").click(function () {

         var tableau_params = { username: 'DistrictDataReader'};

         var ticket;

        $.ajax({

        type: "POST",

        url: "http://Dataviz:8080/trusted",

        data: tableau_params,

        datatype: "html",

        success: function (data) {

        ticket = $('#result').html(data);

         }

         });

       

        alert(ticket);

         });

         });

      </script>


      <p>

         <button class="button" runat="server" id="mybutton">Get Ticket</button>

      </p>


      My alert returns ticket as undefined.

      When I check in inspect element - in the console tab I've got this error:


      XMLHttpRequest cannot load http://dataviz:8080/trusted. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://rcps' is therefore not allowed access.


      how do I fix this?    Access-Control-Allow-Origin is not a parameter I can pass.......


      Thank you for your help.  


      Molly


        • 1. Re: Trusted Tickets from an IIS server
          Jeff Strauss

          I think the problem is that you're trying to go across domains.  I think you have two options.

           

          1. Try running the request server side instead of client side.

           

          2. Try using a CORS proxy.  http://crossorigin.me/   I hadn't heard of this until a few days ago, but may work.

          • 2. Re: Trusted Tickets from an IIS server
            Jeff D

            Hi Molly, if I understand this correctly, the request for the ticket comes from the user's browser, not from your web server.  I'm not familiar with MVC Razor, but if my understanding is correct, this is a security hole. If you are getting a CORS error on a trusted ticket, it means that the browser is *protecting* your server.  Bypassing this protection is not recommended.

            • 3. Re: Trusted Tickets from an IIS server
              Molly Wasserman

              Hi Jeffrey and Jeff -

               

              Well I thought my request was coming server side....  that runat="server"  is what forces the request to come from the website server rather than the client

               

              <p>

                 <button class="button" runat="server" id="mybutton">Get Ticket</button>

              </p>


              my server's name is rcps.   which has the IP that I made trusted...

               

              XMLHttpRequest cannot load http://dataviz:8080/trusted. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://rcps' is therefore not allowed access.


              I looked at the CORS proxy link -  and I can't imagine how that would work as my site is an intranet -  this whole thing stays behind our firewall.   


              Is there a way to set the Access Control Allow Origin  on the tableau server?  I suspect the whole confusion is that it is not realizing that rcps (where the request came from) is the IP address I trusted .    Is that what the trust IP address list does? 


              thank you,


              Molly

              • 4. Re: Trusted Tickets from an IIS server
                Jeff D

                Hi Molly, if you remove the runat="server", is the result the same or is it different?

                • 5. Re: Trusted Tickets from an IIS server
                  matt york

                  Hey Molly,

                   

                  In your example, the code that makes the request is javascript which runs in the browser, not Razor which runs on the server. Since javascript makes the request and browsers don't allow cross-origin XHRs, you are getting the CORS error.

                   

                  The runat="server" on the button does not make the javascript run on the server.

                   

                  You will need to make the request server-side. To do this, it needs to be written in Razor or C# and not javascript (I'm not familiar with MVC Razor syntax).

                   

                  Modifying the apache config to allow cross origin requests is a VERY SERIOUS security hole. Do not do this. If an attacker gets a signed-in tableau user to load any web page under the attacker's control, the attacker can do any action that an admin can do, including deleting all content on the server or changing permissions so the attacker can view all content.

                   

                  Matt

                  1 of 1 people found this helpful
                  • 6. Re: Trusted Tickets from an IIS server
                    Molly Wasserman

                    Hi Matt -

                     

                    thank you,   I will work on running this back in the razor code -  and I agree, try to get rid of the CORS.   

                     

                    Molly

                    • 7. Re: Trusted Tickets from an IIS server
                      Molly Wasserman

                      OK -  here is the solution for those folks who like RAZOR -   I have a default user I want to use so that is hard coded but it would be very easy to do dynamically.    this is based on the sharepoint code:

                       

                      @{

                       

                         string postData = "username=DistrictDataReader";

                         byte[] data = System.Text.Encoding.ASCII.GetBytes(postData);

                         var myTicket = "";

                       

                         try

                         {

                       

                         HttpWebRequest req = (HttpWebRequest)WebRequest.Create("http://dataviz:8080/trusted");

                       

                         req.Method = "POST";

                         req.ContentType = "application/x-www-form-urlencoded";

                         req.ContentLength = postData.Length;

                       

                         // Write the request

                         Stream outStream = req.GetRequestStream();

                         outStream.Write(data, 0, data.Length);

                         outStream.Close();

                       

                         // Do the request to get the response

                         HttpWebResponse res = (HttpWebResponse)req.GetResponse();

                         StreamReader inStream = new StreamReader(res.GetResponseStream());

                         string resString = inStream.ReadToEnd();

                         inStream.Close();

                       

                         myTicket = resString;

                         }

                         catch {myTicket = "Ooops!";}

                       

                         Response.Redirect("http://dataviz:8080/trusted/"+ myTicket +"/views/SBACStateandCounty/VermontMap");

                      }

                      2 of 2 people found this helpful