CORS error after sign-in with ArcGIS Enterprise

[tamchuen]

Describe the bug
After login via "ArcGIS Enterprise", the home page shows blank, and there is CORS error messages showing in developer tools

To Reproduce
Steps to reproduce the behavior:

1. Go to 'https://assistant.esri-ps.com/signin'
2. Click on 'Sign in with ArcGIS Enterprise', enter the portal URL, and App ID
3. the page shows blank content after sign-in
4. See error in developer console :

Access to fetch at 'https://gistest.cpr.ca/arcgisportal/sharing/rest/community/self?f=json&token=xxxx.' from origin 'https://assistant.esri-ps.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Expected behavior
It should show the page after sign-in

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: Windows
• Browser: Chrome
• Version: 101.0.4951.67

Additional context
Add any other context about the problem here.

[nheminger]

Hello @tamchuen,

Thanks for submitting this. In the response from https://gistest.cpr.ca/arcgisportal/sharing/rest/community/self?f=json&token=xxxx in the DevTools network tab, do you see an Access-Control-Allow-Origin response header being sent?

[tamchuen]

No there is no Access-Control-Allow-Origin response.
The response code is 401 Unauthorized.
Here is the list of response headers:
Content-Length: 11660
Content-Type: text/html
Date: Fri, 17 Jun 2022 18:37:15 GMT
Server: Microsoft-IIS/8.5
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET

Additional info:
I also tried adding the domain https://assistant.esri-ps.com to ‘Allowed Origins’ in Portal settings page, but the issue still remains. (The 'Allowed Origins' list was empty previously)
Our portal web adaptor uses IWA (Negotiate + NTLM).

[tamchuen]

@nheminger Do you have any status update on this ?

[MarcBate]

Same issue here IWA Enterprise 11.1, added to Allowed Origins which solved this for other applications. I get the error of CORS header ‘Access-Control-Allow-Origin’ missing.

Btw, there are several options when you register an application (web mapping application, or Other, does it need a url for the application itself or just the redirect. Does it need the oauth redirect also?). Please list exactly which options to select rather than link to the generic help page.

[imfnet]

Bump

Same issues with login/CORS errors

Enterprise 10.9.1 using Windows Authentication login

[MarcBate]

Same here. CORS error 11.1 with Windows Authentication. I click the link it is trying to access and it opens in the browser, just the CORS is preventing it.

[Detteor]

@MarcBate and @imfnet I had this same issue and was able to solve it by removing the trailing slash "/" from the URL in "Allowed Origins" in Organizations > Security and in "Redirect URLs" in the application settings.

[MarcBate]

Wow that's crazy the software is so fragile it can be broken so easily