401 Using Multiple Authentication methods IE 10 only
I am not sure if this is more of a coding issue or server setup issue so I've posted it on stackoverflow and here...
On our production site we've run into an issue that is specific to Internet Explorer 10.
I am using jQuery doing an ajax POST to a web service on the same domain and in IE10 I am getting a 401 response, IE9 works perfectly fine. I should mention that we have mirrored code in another area of our site and it works perfectly fine in IE10. The only difference between the two areas is that one is under a subdomain and the other is at the root level. www.my1stdomain.com vs. portal.my2nddomain.com
The directory structure on the server for these are:
\my1stdomain\webservice\name\service.aspx
\portal\webservice\name\service.aspx
Inside of the \portal\
and \my1stdomain\
folders I have a page that does an ajax call, both pages are identical.
$.ajax({
type: 'POST',
url: '/webservice/name/service.aspx/function',
cache: false,
contentType: 'application/json; charset=utf-8',
dataType: 'json',
data: '{ "json": "data" }',
success: function() {
},
error: function() {
}
});
I've verified permissions are the same on both folders on the server side. I've applied a workaround fix of placing the <meta http-equiv="X-UA-Compatible" value="IE=9">
to force compatibility view (putting IE into compatibility mode fixes the issue). This seems to be working in IE10 on Windows 7, however IE 10 on Windows 8 still sees the same issue. These pages are classic asp with the headers that are being included, also there are no other meta tags being used. The doctype is being specified as <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//" "http://www.w3.org/TR/html4/loose.dtd">
on the portal page and <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
on the main domain.
UPDATE1
I used Microsoft Network Monitor 3.4 on the server to capture the request. I used the following filter to capture the 401:
Property.HttpStatusCode.StringToNumber == 401
This was the response
- Http: Response, HTTP/1.1, Status: Unauthorized, URL: /webservice/name/service.aspx/function Using Multiple Authetication Methods, see frame details
ProtocolVersion: HTTP/1.1
StatusCode: 401, Unauthorized
Reason: Unauthorized
- ContentType: application/json; charset=utf-8
- MediaType: application/json; charset=utf-8
MainType: application/json
charset: utf-8
Server: Microsoft-IIS/7.0
jsonerror: true
- WWWAuthenticate: Negotiate
- Authenticate: Negotiate
WhiteSpace:
AuthenticateData: Negotiate
- WWWAuthenticate: NTLM
- Authenticate: NTLM
WhiteSpace:
AuthenticateData: NTLM
XPoweredBy: ASP.NET
Date: Mon, 04 Mar 2013 21:13:39 GMT
ContentLength: 105
HeaderEnd: CRLF
- payload: HttpContentType = application/json; charset=utf-8
HTTPPayloadLine: {"Message":"Authentication failed.","StackTrace":null,"ExceptionType":"System.InvalidOperationException"}
The thing here that really stands out is
Unauthorized, URL: /webservice/name/service.aspx/function Using Multiple Authentication Methods
With this I'm still confused as to why this only happens in IE10 if it's a permission/authentication issue. What was added to 10, or where should I be looking for the root cause of this?
UPDATE2
Here are the headers from the client machine from fiddler (server information removed):
Main
SESSION STATE: Done.
Request Entity Size: 64 bytes.
Response Entity Size: 9 bytes.
== FLAGS ==================
BitFlags: [ServerPipeReused] 0x10
X-EGRESSPORT: 44537
X-RESPONSEBODYTRANSFERLENGTH: 9
X-CLIENTPORT: 44770
UI-COLOR: Green
X-CLIENTIP: 127.0.0.1
UI-OLDCOLOR: WindowText
UI-BOLD: user-marked
X-SERVERSOCKET: REUSE ServerPipe#46
X-HOSTIP: ***.***.***.***
X-PROCESSINFO: iexplore:2644
== TIMING INFO ============
ClientConnected: 14:43:08.488
ClientBeginRequest: 14:43:08.488
GotRequestHeaders: 14:43:08.488
ClientDoneRequest: 14:43:08.488
Determine Gateway: 0ms
DNS Lookup: 0ms
TCP/IP Connect: 0ms
HTTPS Handshake: 0ms
ServerConnected: 14:40:28.943
FiddlerBeginRequest: 14:43:08.488
ServerGotRequest: 14:43:08.488
ServerBeginResponse: 14:43:08.592
GotResponseHeaders: 14:43:08.592
ServerDoneResponse: 14:43:08.592
ClientBeginResponse: 14:43:08.592
ClientDoneResponse: 14:43:08.592
Overall Elapsed: 0:00:00.104
The response was buffered before delivery to the client.
== WININET CACHE INFO ============
This URL is not present in the WinINET cache. [Code: 2]
Portal
SESSION STATE: Done.
Request Entity Size: 64 bytes.
Response Entity Size: 105 bytes.
== FLAGS ==================
BitFlags: [ClientPipeReused, ServerPipeReused] 0x18
X-EGRESSPORT: 44444
X-RESPONSEBODYTRANSFERLENGTH: 105
X-CLIENTPORT: 44439
X-CLIENTIP: 127.0.0.1
X-SERVERSOCKET: REUSE ServerPipe#7
X-HOSTIP: ***.***.***.***
X-PROCESSINFO: iexplore:7132
== TIMING INFO ============
ClientConnected: 14:37:59.651
ClientBeginRequest: 14:38:01.397
GotRequestHeaders: 14:38:01.397
ClientDoneRequest: 14:38:01.397
Determine Gateway: 0ms
DNS Lookup: 0ms
TCP/IP Connect: 0ms
HTTPS Handshake: 0ms
ServerConnected: 14:37:57.880
FiddlerBeginRequest: 14:38:01.397
ServerGotRequest: 14:38:01.397
ServerBeginResponse: 14:38:01.464
GotResponseHeaders: 14:38:01.464
ServerDoneResponse: 14:38:01.464
ClientBeginResponse: 14:38:01.464
ClientDoneResponse: 14:38:01.464
Overall Elapsed: 0:00:00.067
The response was buffered before delivery to the client.
== WININET CACHE INFO ============
This URL is not present in the WinINET cache. [Code: 2]
Solution 1:
You may want to test the client registry setting described here:
An unexpected 401.1 status is returned when using Pre-Authentication Headers with Internet Explorer and Internet Information Services
http://support.microsoft.com/kb/2749007
Client test:
Key: HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Internet Settings/
Value: DisableNTLMPreAuth
Data Type: REG_DWORD
Value: 1
Server fix:
To modify this behavior in IIS, disable Kernel Mode Authentication for the IIS web application.
- Open Internet Information Services (IIS) Manager
- In the Connections pane, expand the server name, expand Sites, and then the site, application, or Web service for which you want to disable Kernel Mode Authentication.
- Scroll to the Security section in the Home pane, and then double-click Authentication.
- In the Authentication pane, select Windows Authentication.
- Click Advanced Settings in the Actions pane.
- When the Advanced Settings dialog box appears, uncheck the Enable Kernel-mode authentication checkbox
- Click OK to close the Advanced Settings dialog box.
IMPORTANT: Disabling Kernel Mode Authentication may cause web applications that require Kerberos authentication and delegation to fail.