Re: client gets always every first time for every page a 401
From: BB (qbernard_at_hotmail.com)
Date: 06/03/03
- Next message: BB: "Re: client gets always every first time for every page a 401"
- Previous message: BB: "Re: Users no longer be able to logon"
- In reply to: Stephen L Nicoud: "Re: client gets always every first time for every page a 401"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 3 Jun 2003 14:49:15 +0800
Ok. I was looking at the exact log at the bottom.
-----
2003-05-26 15:58:32 166.11.47.199 -
/banking_content_management/common/login_action/0,,,00.html 302 217 1922
2003-05-26 15:58:32 166.11.47.199 -
/csam_content_management/csam_content_management_home 401 797 16
2003-05-26 15:58:32 166.11.47.199 szrh91604\logicacma
/csam_content_management/csam_content_management_home/ 302 402 0
2003-05-26 15:58:32 166.11.47.199 szrh91604\logicacma
/csam_content_management/csam_content_management_home/0,,,00.html 200
16943 16
2003-05-26 15:58:32 166.11.47.199 szrh91604\logicacma
/banking_content_management/common/images/csam.gif 200 1746 31
2003-05-26 15:58:32 166.11.47.199 szrh91604\logicacma
/banking_content_management/common/images/provider.gif 304 141 16
--- "When Internet Explorer has established a connection with the server by using Basic or NTLM authentication, it passes the credentials for every new request for the duration of the session." this is valid so far my test show the above. only the first request get 401. As you mentioned, this is not IIS site, I just tested IE6.0 and W2k Adv I don't see the '401' second time, even I entered just the subfolder name in the url bar. it could be IE settings, but which settings ? I tested with wfetch.exe as well, if anonymous, get 401. then using basic. no issue after that. Thanks for you clarification, this is the first time I see this error. -- Regards, Bernard Cheah http://support.microsoft.com/ "Stephen L Nicoud" <nicouds@hotmail.com> wrote in message news:eCLcflIKDHA.1772@TK2MSFTNGP10.phx.gbl... Look at megloff's first post in this thread (news:uCvlmpGJDHA.3272@tk2msftngp13.phx.gbl). Pay particular attention to this section: "Here an example sequence to make it more understandable: 1.[Browser] Get /myRoot/myFolder/MyDoc.html 2.[Server] 401 (Basic Realm) 3.[Browser] Get /myRoot/myFolder/MyDoc.html Basic:xxxxxxx 4.[Server] 200 Ok 5.[Browser] Get /myRoot/myFolder/mySubFolder 6.[Server] 401 (Basic Realm) 7.[Browser] Get /myRoot/myFolder/mySubFolder Basic:xxxxxx 8.[Server] 200 Ok ... // If I am accessing the same page the second time it works x.[Browser] Get /myRoot/myFolder/mySubFolder Basic:xxxxxx xi.[Server] 200 Ok Why does my Browser in case 5 not submit the Basic Authorization String automatically? So the Browser should know that he can use the same credentials as used in 3, because they have the same root. " Note in #1 there is a "Get" of "MycDoc.html" and again in #3. (hence my reference to "2 GET requests"). In #1 the access was denied (as shown by #2). In #3 the access was accepted (as shown by #4). There's nothing unusual about that if that is the first access to the website's FQDN (fully qualified domain name) for a resource that is not configured for anonymous access. But then look at #5. Why does the browser not send the credentials with the "Get" of "mySubFolder"? By not sending the credentials in that "Get" request, IIS will properly reject the request with a 401. So now the browser resends the same "Get" request with the proper credentials (#7), but (note well) the user wasn't prompted for them; the browser automatically provided them from the credentials provided in step #3. Well why didn't the browser send the credentials in #5? Interestingly, 3rd and subsequent GET requests to the same resource are sent with the credentials. I don't believe this is the desired nor the designed for behavior. megloff's quote from the reference BB provided (http://support.microsoft.com/?id=264921) is most telling: "When Internet Explorer has established a connection with the server by using Basic or NTLM authentication, it passes the credentials for every new request for the duration of the session.". In fact, that language appears twice in the article, once for NT4 and once for Windows 2000. What configuration of the browser is causing this? I don't believe this is an IIS configuration issue, but a browser configuration issue. I've seen this problem posted before in this newsgroup, but I've never seen a knowledgeable and satisfactory explanation of why it occurs and what to change in the configuration to eliminate it. "BB" <qbernard@hotmail.com> wrote in message news:e4$DIsdJDHA.336@tk2msftngp13.phx.gbl... > I'm a bit lost :) > > 2 GET requests ? > are you referring the double posts of his CMS isapi filter ? > > > > -- > Regards, > Bernard Cheah > http://support.microsoft.com/ > > > "Stephen L Nicoud" <nicouds@hotmail.com> wrote in message > news:#J1ZrycJDHA.2224@TK2MSFTNGP11.phx.gbl... > I think you are missing megloff's point. > > What you say is correct with respect to the first non-anonymous access to a > server. Megloff's point is that he is seeing this behavior (anonymous > access first, which is denied; then a second request for the same resource > with credentials) for each and every resource request. > > His log (see his post that started this thread) is showing 2 GET requests > for every resource. The first of the two requests for a resource is denied > because it is sent without credentials. The second is successful because it > does include the credentials. For all but the first access to any > non-anonymous resource on a server there should only be one GET request. > > "BB" <qbernard@hotmail.com> wrote in message > news:#eLBIxaJDHA.2068@TK2MSFTNGP10.phx.gbl... > > Errr this is what i read > > --- > > Orders of Precedence: When the browser makes a request, it always > considers > > the first request to be Anonymous. Therefore, it does not send any > > credentials. If the server does not accept Anonymous or if the Anonymous > > user account set on the server does not have permissions to the file being > > requested, the IIS server responds with an "Access Denied" error message > and > > sends a list of the authentication types that are supported by using one > of > > the following scenarios: > > > > --If Windows Integrated is the only supported method (or if Anonymous > > fails), then the browser must support this method to communicate with the > > server. The server tries Kerberos first, and if this fails, then the > server > > falls back to Windows NT Challenge/Response. If this fails, the server > does > > not try any of the other methods. > > > > --If Basic is the only supported method (or if Anonymous fails), then a > > dialog box appears in the to get the credentials, and then passes these to > > the server. It attempts to send the credentials up to three times. If > these > > all fail, the browser does not connect to the server. > > > > --If both Basic and Windows Integrated are supported, the browser > determines > > which method is used. If the browser supports Kerberos or Windows NT > > Challenge/Response, it uses this method. It does not fall back to Basic. > If > > Windows NT Challenge/Response and Kerberos are not supported, the browser > > uses Basic, Digest, or Fortezza if it supports these. The order of > > precedence here is Basic, Digest, and then Fortezza. > > ____ > > > > > > From what I've seen it always try anonymous connection first, > > I'm not sure how to make 'basic' auth the first choice. as far > > as IE is concern, unlikely you able to change it. > > > > > > -- > > Regards, > > Bernard Cheah > > http://support.microsoft.com/ > > > > > > "megloff" <joes@bluewîn.ch> wrote in message > > news:uOfUfDVJDHA.1360@TK2MSFTNGP10.phx.gbl... > > > Thank you, but on that page is this behaviour not clear enough > > > described. Here the following snipped extract: > > > > > > --- > > > When your browser establishes a connection with a Web site by using > > > Basic or NTLM authentication, it does not fall back to Anonymous during > > > the rest of that session with the server. > > > > > > If you try to connect to a Web page that is marked for Anonymous only > > > after authenticating, you will be denied. (This may or may not hold true > > > for Netscape). > > > When Internet Explorer has established a connection with the server by > > > using Basic or NTLM authentication, it passes the credentials for every > > > new request for the duration of the session. > > > --- > > > > > > I analyzed the log file of the IIS, it seems that the browser does not > > > make an anonymous authentication for every new site. Sometimes it passes > > > the credentials also directly for new pages, although they are the first > > > time requested in the session. > > > > > > So my further question, what needs my browser (IE 5.01) in order to not > > > fail back to the anonymous mode ? What are the criterias ? Does the IIS > > > set some cookies for the authentication ? If yes, exists there any > > > detailed information ? > > > > > > You ask may be your self, why is that so important for me. We are using > > > Vignette, a CMS which operates with an own ISAPI filter. Unfortunately > > > when the basic authentiation is activated on that server instance, it > > > produces double form posts, because the filter is not intelligent enough > > > to identify that the first request is handled by the IIS with an 401. > > > This product version is also not supported any more, that means I have > > > to look for a workaround. > > > > > > So any further suggestions ? > > > Thank you in advance. > > > regards > > > > > > Mark > > > > > > > > > > > > > > > > > > > > > > > > *** Sent via Developersdex http://www.developersdex.com *** > > > Don't just participate in USENET...get rewarded for it! > > > > > >
- Next message: BB: "Re: client gets always every first time for every page a 401"
- Previous message: BB: "Re: Users no longer be able to logon"
- In reply to: Stephen L Nicoud: "Re: client gets always every first time for every page a 401"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
