Re: Double number of calls when Basic Authentication?

From: Ken Schaefer (kenREMOVE_at_THISadOpenStatic.com)
Date: 05/26/04 

Date: Wed, 26 May 2004 23:05:33 +1000

That's the way any HTTP authentication system works (by default). If you use
NTLM v2 (part of Integrated Windows Auth) you'll see even more requests
logged :-)

The first request is anonymous. The server denies the anonymous request, and
sends back a list of supported authentication mechanisms. The client picks
the strongest one that it supports, and then attempts the request again
using credentials. Most clients will then cache the credentials for
subsequent accesses to the server, until the client is terminated.

Now, I suppose you could build a custom client that doesn't attempt
anonymous authentication first - it authenticates from the very first
request.

Cheers
Ken

"Joe H" <jharri@hotmail.com> wrote in message
news:OL82otxQEHA.3348@TK2MSFTNGP09.phx.gbl...
: I have a web service that is set to use Basic Authentication (for users
: outside the firewall). They are coming in over SSL. It uses Integrated
: Authentication for internal users.
:
: For the users who are requesting service with Basic Authentication, there
is
: a VB.Net client application which is using the NetworkCredential to pass
the
: authentication information to the web service.
:
: However, the sequence of events that seems to always happen is:
:
: 1. client sends request
: 2. service responds with 401
: 3. client sends request again, this time including the authentication
: information (user, password, domain)
:
: So, in my IIS logs, there is a duplicate entry for each call to the web
: service. The first log entry has a user value of " - " (this entry also
has
: the 401 code returned), and the second log entry has the correct user
name.
: I am certain that this is affecting overall performance of the web
service.
:
: What do I need to do in order to eliminate this "round-trip" from
happening?
:
: Thanks,
: Joe
:
:

Relevant Pages

  • Re: BASIC authentication Issues with IE - Part II - Solved but WHY?
    ... it does not know the difference between a request from IE or from ... some other HTTP client. ... Some other authentication schemes are more ... IIS can sometimes remember the token for a particular set of credentials so ...
    (microsoft.public.inetserver.iis.security)
  • Re: HTTP - basic authentication example.
    ... or *never* knowing the realm..) ... This is called authentication and is implemented ... requests a web page it sends a request to the server. ... consists of headers with certain information about the request. ...
    (comp.lang.python)
  • Re: Why IAS get stuck on authenticating PEAP (MS-CHAP2) clients
    ... processed the request and sent message for which it expects response. ... could be that packet some how did not reach the client or client decided to ... > We are trying to implement PEAP security authentication using ... > session has ...
    (microsoft.public.internet.radius)
  • WSE 2.0 error: Requested registry access is not allowed
    ... authentication. ... either for web service and client. ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Each HTTP object being requested twice (401 then 200 responses)
    ... Authentication" and the web.config authentication setting is ... Authorized because the request was made anonymously. ... requests the same object a second time it uses kerberos; ... Kerberos tokens should not be regenerated for every request. ...
    (microsoft.public.inetserver.iis.security)