1

I noticed that our IIS 8.5 returns "401 Unauthorized" response to non-authenticated HTTP request right after receiving its headers, without waiting for the body:

the client:

POST /some/protected/page HTTP/1.1
Host: server.example.org
Content-Length: 4666

the server, without waiting for the rest:

HTTP/1.1 401 Unauthorized
Server: Microsoft-IIS/8.5

the client goes on:

<xml>some large XML block of 4666 bytes in total</xml>

Now, by itself it doesn't represent a problem, but our load balancer (FortiGate v6.0.3) decided to be smart, so it drops the request's body after seeing the "401 Unauthorized" response. And this, as I understand, causes next request over the same TCP pipe to fail, since the server interprets next bytes as a payload promised by the "Content-Length: 4666" header.

The question: is it possible to make IIS to wait for the whole request before responding with 401?

Cat Mucius
  • 155
  • 1
  • 11
  • 4
    I don't think IIS is doing anything wrong here. You should instead ask if it's possible to make the FortiGate behave sensibly. Or it could be that you have a completely different problem than the problem you think you have. You should describe the actual problem in more detail, not just your proposed solution. – Michael Hampton Dec 17 '18 at 12:44
  • I'm not saying it's doing anything wrong. Just looking for possible workarounds. – Cat Mucius Dec 17 '18 at 14:04
  • Are you **requiring** mutual-authenticated connections and then attempting a non-authenticated connection? Make sure the system supports/allows what you're trying to do. Possibly you're rejecting HTTP traffic or enforcing a form of HTTPS that the client doesn't support, or requiring Client Authentication, etc. – duct_tape_coder Dec 19 '18 at 20:35
  • It's a very standard thing with Windows authentication: browser submits first request un-authenticated, then gets 401 error and re-attempts the request with Kerberos ticket / NTLM challenge response in the Authorization header. When a new TCP connection is open, the process repeats. – Cat Mucius Dec 20 '18 at 00:43

0 Answers0