0

At work, I have IE8 on XP, calling a .net 4.0 web app on WinServer 2003 with IIS6. IWA is turned on. When I call the page, the initial aspx page call of course will show 3 lines in Fiddler. First is anon request, second has some AUTHORIZATION:NEGOTIATE header, and then the 3rd has a longer value for the same header (probably a token). The first two result in 401 errors, the last is 200 success. But this is expected.

The issue: When the following resource files (CSS, JS, images) get called, mostly all of them (but not all) go through the same 3-step call. The first 2 are 401 errors, then the 3rd gives me the 200 code and the content.

Is this normal? I thought just the first call of the page itself is the only thing needing the 3-step process.

FYI- we had OAM and WebGate on the server, but we uninstalled it and we are still getting this behavior. Is it possibly the app pool doesn't have it's identity/domain ID setup right? I really don't want to turn the style, script and image folders on Anonymous.

TylerH
  • 20,799
  • 66
  • 75
  • 101
James Allen
  • 162
  • 1
  • 1
  • 10

1 Answers1

1

This is correct if your server is configured to protect any resource. Since HTTP is stateless, every request has to be authenticated. This can be avoided if a session cookie is used which memorizes the auth. Otherwise this will happen every time.

Michael-O
  • 18,123
  • 6
  • 55
  • 121
  • Interesting because it does pass the asp.net session back and forth. I assume it's that session cookie you refer to. Actually, doing so more digging, I am finding there is an issue with IIS6 and kerberos and NTLM, both not remembering the authroization. Oh well. I guess Microsoft doesn't want me to make high-performance websites. ugh. – James Allen Jul 20 '12 at 22:15
  • Yes, that is the session cookie. Please inspect if there is any session cookie passed if the static resources are requested. The server has to know to that this session is already authenticated. Anyway, if the server asks for auth, the client has to respond if he can. So you have to check your server why it is doing this. – Michael-O Jul 21 '12 at 08:22