7

Enviornment:

  • ASP.NET WebForms
  • .NET 3.5
  • jQuery for AJAX
  • ASMX web services
  • Windows Authentication
  • SSL

When we run our production web application, our AJAX calls often have 2-3 HTTP 401s before we get our HTTP 200.

Is this normal?
Is there something we may be doing wrong?

NOTE: The calls do not fail, the 401s try until they succeed.

Example Traffic:
alt text

Community
  • 1
  • 1
rick schott
  • 21,012
  • 5
  • 52
  • 81

1 Answers1

9

That's normal traffic for NTLM-style Integrated Windows authentication. The sequence is roughly:

  1. Client: HTTP GET url...
  2. Server: HTTP 401 WHO GOES THERE
  3. Client: It's-a me, the client!
  4. Server: HTTP 401 YEAH PROVE IT
  5. Client: I've got all the proof you need right here.
  6. Server: HTTP 200 OK

If you look in the raw responses from the server, you should see the Negotiate headers, and the corresponding encoded / encrypted requests from the client.

mwalker
  • 460
  • 4
  • 9
  • Ok cool, I looked at the headers as @John mentioned and I do see the negations taking place. – rick schott Jul 19 '10 at 17:23
  • Is there any way to fix this? I'm having those same failures and it costs 100-300ms each time. – Darcy May 17 '11 at 17:46
  • use Kerberos instead of NTLM, and the handshake won't need to happen on every request. – mwalker May 17 '11 at 18:43
  • Can you still use integrated/passthrough auth with Kerberos? I'm seeing the same thing, but only on the production machines (no delays when running on my local PC) but I'd rather not "fix" it by requiring users to log in again. Also, any idea why the NTLM negotiation has to take place after the first request? Why can't the client just supply credentials without being asked, for the second and subsequent requests? – Malvineous Jun 03 '11 at 01:06
  • @Malvineous you can disable NTLM to "force" Kerberos - this might be a good option if Kerberos isn't working, as it will force you to fix it. Kerberos doesn't require the 2 extra requests every time; NTLM does unless you've kept the socket alive (HTTP is stateless, so you could now be someone else) – mwalker Jun 03 '11 at 16:08
  • @mwalker: But if I was someone else I wouldn't be able to supply the correct user/pass. What I mean is why am I (the client) sending a request with no credentials, waiting for a 401, then resending with credentials. Why can't I just send the initial request with my NTLM user/pass to save the server sending me a 401? – Malvineous Jun 11 '11 at 12:55
  • @Malvineous I don't know - probably a good subject for a new question, to see if there's a way to do it. I presume that it's up to the browser, and IE tries anonymous first on new connections. – mwalker Jun 13 '11 at 16:17