Eradicating 401 “Unauthorised” responses followed by 200 “Ok” responses

Question

I’ve got a situation with a large internal corporate web based application running ASP.NET 3.5 on IIS6 generating 401 “Unauthorised” responses followed by 200 “Ok” responses

Answer 1

CSCRIPT.EXE c:\inetpub\adminscripts\ADSUTIL.VBS SET W3SVC/AuthPersistSingleRequest FALSE

Will reduce the amount of 401's significantly.

Answer 2

I believe you can convince Firefox to automatically send NTLM credentials to a whitelisted set of domains via "about:config" settings - use the "network.automatic-ntlm-auth.trusted-uris" setting. I haven't tried this myself though. I'm not sure there's any equivalent for Internet Explorer.

Unfortunately if you're using something else like Kerberos there does not seem to be a way to avoid the 401.

Answer 3

Unfortunately this is an artifact of the HTTP NTLM authentication scheme.

In short, the browser (Internet Explorer or otherwise) doesn't know that it needs to authenticate at all until it gets bounced with a 401 response containing a WWW-Authenticate response header.

In the case of WWW-Authenticate: NTLM -- annoyingly enough -- it requires two 401 responses on a single persistent connection to complete, and this process must be repeated once the HTTP persistent connection is closed. So even if you were able to get the browser to initiate a request blindly attempting NTLM, at least one 401 response cannot be removed from the transaction.

I think your best bet would be to maximize the amount of time that persistent connections are left open when idle.

Answer 4

You may need to consider Forms Authentication if the 401-induced latency is too long. The users would have to explicitly log in, but just once. Then you could use a cookie or cookieless scheme and get a response on the first try.

I imagine that page load would be slow if you have cascading drop-downs and your initial page load populates one value that causes a POST to get the next list, set that value, another POST to get the next list again, and so on. If this is the situation, perhaps you need to populate all those drop-downs on the first round-trip rather than waiting for POST responses.

Answer 5

TL;DR I put HTTP header information in HTTP body

My example is in Angular, but any TypeScript/JavaScript (framework) might have the same issue.

When doing a HTTP post call to my backend API, which requires headers with the logged in user information, I added my HTTP headers where my HTTP body should be and the headers were empty.

PROBLEM

  markInstructionAsCompleted(visitScheduleId: string, instructionId: number) {
    return this.http.post(`${environment.apiUrl}/VisitInstructions/schedule/${visitScheduleId}/done/${instructionId}`, this.getHeaderWithAuthorization());
  }

SOLUTION, notice that there's an added second argument to the HTTP post call, which is null

  markInstructionAsCompleted(visitScheduleId: string, instructionId: number) {
    return this.http.post(`${environment.apiUrl}/VisitInstructions/schedule/${visitScheduleId}/done/${instructionId}`, null, this.getHeaderWithAuthorization());
  }