Reputation: 1075
JQuery Ajax + Windows Authentication = 401 Unauthorized
I am facing an Ajax issue with the application I am working on. The web app is written in ASP.NET 4.5, it's more specifically derived from the default MVC sample application in Visual Studio 2012. The application is hosted on a local IIS server (Not the express version), and requires Windows authentication (currently NTLM) for client impersonation as for security reasons.
I have 2 questions here.
The website is correctly authenticating the client when browsing but for some obscure reason every Ajax calls fail in a 401 Unauthorized error (It's working when using anonymous authentication, so I guess the credentials are not encapsulated in the request?!). I had not the time yet to investigate the communication between them, but I am sure one of the guru here is able to help.
In the end the windows authentication provider will be moved to kerberos. Anything particular to be careful regarding this Ajax issue?
Please let me know if you need any other information.
Edit 1
I feel stupid ... restarting IIS solve the issue. Somedays IT is pleasure ...
Thanks to all of you.
Upvotes: 4
Views: 8633
Answers (1)
Reputation: 48240
The following answer is based on my understanding of NTLM/Kerberos and some speculation on how XmlHttpRequest reuses the information known to the browser. However, I haven't actually tried to reproduce your scenario and thus chances are that I am wrong.
Ok, here it goes. The NTLM session is a connection-oriented protocol. This means that if your server keeps returning "Keep-alive" and the client reuses the same connection then there is no need for another authentication handshake. However, just as the connection is closed and opened again, a new handshake is required. As long as this is the browser who requests the server, the new handshake is done automatically using the credentials cached in browser's memory, the exact credentials you provided at the initial handshake.
This is why I believe your ajax call doesn't work - it probably just opens a new connection and requires a new handshake (and it seems that for some reason it doesn't reuse credentials cached in the browser's memory).
However, this should change if you switch to Kerberos. Kerberos is based on a challenge-response pattern where the browser and the server contact the authentication authority directly. Then, kerberos keeps your authentication on a http header with a ticket. Chances are the header WILL be automatically appended to your AJAX requests.
Note that in contrary to NTLM, Kerberos works only if BOTH the browser and the server can contact the authentication authority. This is why usually in IIS the "Negotiate" is set as the authentication scheme - this tries Kerberos first and then switch back to NTLM if the authentication authority is not directly available to the browser.
Upvotes: 6
Related Questions
- jQuery Ajax Web API call returns 401 unauthorized error when set only Windows authentication in IIS
- .NET Ajax Call gives 401
- 401 Unauthorized Issue
- JQuery AJAX Call to MVC action , asking the Credentials in Windows Server 2008R2
- jquery ajax call for asp.net mvc application getting two unauthorized reponses then Ok
- ASP.NET MVC User Authentication failure when using AJAX
- AJAX Service Requires 'Anonymous' Authenication, but needs to use 'Windows' Authenication
- Form Authentication (using jquery.ajax) failed after setting up IIS 7
- jquery ajax calls form authentication issue
- Forms authentication with jQuery ajax