Strange Digest Authentication behaviour

From: Stephen McNabb (
Date: 01/23/03

From: "Stephen McNabb" <>
Date: Thu, 23 Jan 2003 12:04:30 -0000


We have a VB6 front end client talking to a VB6 COM+ midtier using SOAP (MS
Soap Toolkit 3). The IIS web server on the midtier is setup to use Digest
Authentication to provide the security we need. Everything is working as it
should except we have noticed a strange behaviour in the system running in
our client's live environment - every single request to the server is
getting a 401 Access Denied message and having to re-authenticate.

My understanding of how digest authentication works is:

- First request to server is given 401 Access Denied message with nonce
attached in headers
- Client resends with username, password and nonce it receives, and server
authenticates user and caches information
- Every subsequent request is sent with username, password and nonce and no
re-authentication is required because server uses cached information

This is the behaviour we are seeing in our test and development environments
but in our live environment, with the same mid-tier and client versions of
the application, we see every request having to go through the
401/authentication process. As you can imagine this is affecting system
performance and bandwidth usage.

Does anyone have an idea of where we should start looking to see why each
request needs to be authenticated? I'm assuming it's a web server
configuration issue but I have checked the basic security setup and it all
looks ok. If you have seen behaviour like this before then please let me