JQuery Ajax + Windows Authentication = 401 Unauthorized
I am facing an Ajax issue with the application I am working on. The web app is written in ASP.NET 4.5, it's more specifically derived from the default MVC sample application in Visual Studio 2012. The application is hosted on a local IIS server (Not the express version), and requires Windows authentication (currently NTLM) for client impersonation as for security reasons.
I have 2 questions here.
The website is correctly authenticating the client when browsing but for some obscure reason every Ajax calls fail in a 401 Unauthorized error (It's working when using anonymous authentication, so I guess the credentials are not encapsulated in the request?!). I had not the time yet to investigate the communication between them, but I am sure one of the guru here is able to help.
In the end the windows authentication provider will be moved to kerberos. Anything particular to be careful regarding this Ajax issue?
Please let me know if you need any other information.
I feel stupid ... restarting IIS solve the issue. Somedays IT is pleasure ...
Thanks to all of you.
The following answer is based on my understanding of NTLM/Kerberos and some speculation on how XmlHttpRequest reuses the information known to the browser. However, I haven't actually tried to reproduce your scenario and thus chances are that I am wrong.
Ok, here it goes. The NTLM session is a connection-oriented protocol. This means that if your server keeps returning "Keep-alive" and the client reuses the same connection then there is no need for another authentication handshake. However, just as the connection is closed and opened again, a new handshake is required. As long as this is the browser who requests the server, the new handshake is done automatically using the credentials cached in browser's memory, the exact credentials you provided at the initial handshake.
This is why I believe your ajax call doesn't work - it probably just opens a new connection and requires a new handshake (and it seems that for some reason it doesn't reuse credentials cached in the browser's memory).
However, this should change if you switch to Kerberos. Kerberos is based on a challenge-response pattern where the browser and the server contact the authentication authority directly. Then, kerberos keeps your authentication on a http header with a ticket. Chances are the header WILL be automatically appended to your AJAX requests.
Note that in contrary to NTLM, Kerberos works only if BOTH the browser and the server can contact the authentication authority. This is why usually in IIS the "Negotiate" is set as the authentication scheme - this tries Kerberos first and then switch back to NTLM if the authentication authority is not directly available to the browser.