4

I am facing an Ajax issue with the application I am working on. The web app is written in ASP.NET 4.5, it's more specifically derived from the default MVC sample application in Visual Studio 2012. The application is hosted on a local IIS server (Not the express version), and requires Windows authentication (currently NTLM) for client impersonation as for security reasons.

I have 2 questions here.

  1. The website is correctly authenticating the client when browsing but for some obscure reason every Ajax calls fail in a 401 Unauthorized error (It's working when using anonymous authentication, so I guess the credentials are not encapsulated in the request?!). I had not the time yet to investigate the communication between them, but I am sure one of the guru here is able to help.

  2. In the end the windows authentication provider will be moved to kerberos. Anything particular to be careful regarding this Ajax issue?

Please let me know if you need any other information.

Edit 1

I feel stupid ... restarting IIS solve the issue. Somedays IT is pleasure ...

Thanks to all of you.

dna
  • 1,085
  • 7
  • 15
  • it may be a browser issue. What browser are you using? I'm not sure about windows auth but I know from experience in doing Kerberos with firefox you have to add some configuration entries to the browser to get it to work. – Rocky Pulley Jan 23 '13 at 14:48
  • Chromium22 and IE8 both same behaviour. Yeah you are right, I also invoke chromium with --auth-server-whitelist but that's for later anyway. I will google a bit about that it's a good idea thank you. – dna Jan 23 '13 at 15:12
  • Did you ever solve this issue? I am experiencing a very similar problem. Chrome doesn't negotiate after receiving a 401 with WWW-Authenticate:Negotiate from an AJAX request. – jmh Jul 25 '13 at 20:57
  • Yes, I simply restarted IIS. Be also sure to empty your browser cache. – dna Jul 29 '13 at 06:46
  • There are a fair few questions on authentication problems with jQuery calling a service - starting to wonder if it's a jQuery bug. Some basic first steps to check first here: https://stackoverflow.com/a/47916916/5196274 – QA Collective Dec 21 '17 at 02:14

1 Answers1

6

The following answer is based on my understanding of NTLM/Kerberos and some speculation on how XmlHttpRequest reuses the information known to the browser. However, I haven't actually tried to reproduce your scenario and thus chances are that I am wrong.

Ok, here it goes. The NTLM session is a connection-oriented protocol. This means that if your server keeps returning "Keep-alive" and the client reuses the same connection then there is no need for another authentication handshake. However, just as the connection is closed and opened again, a new handshake is required. As long as this is the browser who requests the server, the new handshake is done automatically using the credentials cached in browser's memory, the exact credentials you provided at the initial handshake.

This is why I believe your ajax call doesn't work - it probably just opens a new connection and requires a new handshake (and it seems that for some reason it doesn't reuse credentials cached in the browser's memory).

However, this should change if you switch to Kerberos. Kerberos is based on a challenge-response pattern where the browser and the server contact the authentication authority directly. Then, kerberos keeps your authentication on a http header with a ticket. Chances are the header WILL be automatically appended to your AJAX requests.

Note that in contrary to NTLM, Kerberos works only if BOTH the browser and the server can contact the authentication authority. This is why usually in IIS the "Negotiate" is set as the authentication scheme - this tries Kerberos first and then switch back to NTLM if the authentication authority is not directly available to the browser.

Wiktor Zychla
  • 47,367
  • 6
  • 74
  • 106
  • Yeah it might be due to an invalid KeepAlive settings, I will have an in depth look at the traffic as soon as I can. Thank you. – dna Jan 23 '13 at 15:16