Each HTTP object being requested twice (401 then 200 responses)
- From: benny.hauk@xxxxxxxxx
- Date: Mon, 3 Mar 2008 07:42:08 -0800 (PST)
I'm running a .NET 1.1 app on IIS6 with keep-alives and Session state
enabled. Directory Security is set to only allow "Integrated Windows
Authentication" and the web.config authentication setting is
"windows". The web pages load fine and the client is correctly
passing the current user's credentials behind the scenes as they
should... almost.
When I run Fiddler on my IE7 browser I see that every object on the
page is requested twice. The first one fails with a 401-Not
Authorized because the request was made anonymously. When the browser
requests the same object a second time it uses kerberos; "Negotiate"
with a HUGE token, which in my experience indicates that SSPI choose
Kerberos and not NTLM, which is good since that's a requirement for
our configuration (we have to delegate the credentials all the way
through an n-tiered architecture).
The problem is that every single object is authenticating essencially
from scratch so each page and each object within a page is requested
twice and each second request has a HUGE payload in the header because
of the kerberos overhead. The second request is always succeeding so
user thinks everything is fine (overall performance of server stinks
though and I think this is why - it's processing between 1-2 requests/
sec).
As a contrast to that, when I goto the Advanced tab in my IE7 browser
and uncheck "Enable Integrated Windows Authentication" (essentially
forcing my browser to use NTLM instead of Kerberos) then the page and
its objects are requested more correctly (the first page is rejected
and tries against passing NTLM token then all other subsequent objects
pass a session ID cookie and therefore succeed the first time. I
would call this the fix/workaround only, like I said, my customer's
requirements dictate that Kerberos be used instead of NTLM.
Anyone know how to make Kerberos behave more like NTLM in this way:
IE requests page anonymously and gets a 401 response, then makes same
request authenticating with Kerberos and gets a 200 response. THEN,
every other subsequent request tied to that session successfully gets
objects back the first time with kerberos credentials being passed so
they are only requested once and don't reauthenticate every single
request (which creates overhead in communicating with the domain
controller, etc, etc, etc).
One thing I noticed is that when I force NTLM the Cookie is of this
form:
Cookie: ASPSESSIONIDCCADBTCD=DKHBKJACBEAIGBBJAKAJJBKD
And when Kerberos is used the Cookie is of this form:
Cookie: ASP.NET_SessionId=yuwpra55mlvefl45srf5mbed
Ring any bells?
Benny
benny period hauk - gmail
.
- Follow-Ups:
- Re: Each HTTP object being requested twice (401 then 200 responses)
- From: David Wang
- Re: Each HTTP object being requested twice (401 then 200 responses)
- Prev by Date: Re: general security settings
- Next by Date: Re: Each HTTP object being requested twice (401 then 200 responses)
- Previous by thread: Re: general security settings
- Next by thread: Re: Each HTTP object being requested twice (401 then 200 responses)
- Index(es):
Relevant Pages
|
