Jump to content
Updated Privacy Statement

Issues with CORS Preflight Requests Not Working with NetScaler AAA Authentication

Go to solution Solved by Rick Davis,

Recommended Posts

Hello everyone

I'm facing a persistent issue with CORS preflight requests not working properly on my NetScaler setup. Here’s a detailed description of my environment and the problem:

Environment Setup:

Two vServers Configured:
HTTP vServer (adc01-lb-vs_test07_http): Configured with a responder policy to redirect HTTP to HTTPS.
HTTPS vServer (adc01-lb-vs_test07_https): Basic authentication is active using the AAA Authentication Virtual Server. The domains https://test07.example.ch and https://ai-test07.example.ch are both protected with Basic Auth and are hosted behind the HTTPS vServer.

CORS Setup:
I have a chatbot setup on the website that tries to access https://test07.example.ch from https://ai-test07.example.ch , and it fails due to CORS issues. I suspect this is because the preflight OPTIONS request does not work as expected due to the AAA authentication.
When the browser sends an OPTIONS request to check CORS compatibility, it receives a 401 Unauthorized error instead of acknowledging the CORS headers. This happens because the OPTIONS request is being challenged by the Basic Authentication, which should not be the case as preflight requests should bypass authentication checks.

Steps Taken:
I have tried setting up rewrite and responder policies to handle the OPTIONS requests and correctly add CORS headers before the authentication policies trigger. However, I'm still facing the issue where the OPTIONS request gets a 401 response.

Could anyone suggest how to configure the NetScaler so that the CORS preflight OPTIONS requests are handled properly, i.e., they should pass without requiring authentication and should provide the necessary CORS headers in response? I’m particularly struggling with ensuring that these OPTIONS requests bypass the AAA authentication challenge.

Any advice or guidance would be greatly appreciated as I am unsure what configurations or settings I might be missing to resolve this issue.

Thank you in advance!

Edited by Dia
Link to comment
Share on other sites

  • Dia changed the title to Issues with CORS Preflight Requests Not Working with NetScaler AAA Authentication
  • Solution

I was able to configure a Responder policy with an OPTIONS based AppExpert policy bound to a AAA vserver.  

Sample code below.

Note: The AAA_REQUEST bind point is for responder policies which applies to all the incoming requests and are processed for the unauthenticated traffic first before any other AAA processing. ref: CTX477121 


> sho ver
        NetScaler NS14.1: Build 4.42.nc, Date: Jul 27 2023, 17:27:33   (64-bit)
> sho run | grep cors
add responder action cors_test respondwith q{"HTTP/1.1 200 OK\r\nContent-Type: text/html; charset=utf-8\r\n\r\n"}
add responder policy cors_test "HTTP.REQ.METHOD.EQ(\"OPTIONS\")" cors_test
bind authentication vserver rd_test_aaa -policy cors_test -priority 100 -gotoPriorityExpression END -type AAA_REQUEST




Here's a better example CORS responder action:

add responder action cors_test respondwith q{"HTTP/1.1 204 No Content\r\nContent-Type: text/html\r\nDate: "+SYS.TIME.TYPECAST_TIME_AT+"\r\nAccess-Control-Allow-Methods: POST, GET, OPTIONS\r\n\r\n" }

HTTP/1.1 204 No Content
Content-Type: text/html
Date: Fri, 26 Apr 2024 23:44:51 GMT
Access-Control-Allow-Methods: POST, GET, OPTIONS


Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...