jquery - Getting an NTLM Challenge from an AJAX POST on just one page -
quite mystery here. have asp.net mvc 4 web application using windows authentication has been maintained on 18 months without issue. recently, deployed fresh site , i've encountered following, strange behavior.
i using jquery 1.8.2 $.ajax call post data server endpoints update data. works fine except on 1 page, ajax post triggers new ntlm negotiation. same problem exhibited in chrome, ie, , firefox. while issue same in browsers, manifests in different ways:
- firefox : received 401 challenge response server , brings username/password dialog asking credential in infinite loop. canceling credential checks causes request fail unauthorized response.
- ie : no response server , request status shows "(aborted)" in network monitor
- chrome : no response server , request status shows "(failure)" in network monitor.
the core issue seems connection: keep-alive header not being sent problematic ajax request, in other cases. however, underlying javascript code identical, , ajax calls function in development environment set use windows authentication.
also, attempting set connection request header in beforesend callback has no effect.
any insights root of problem, or ways isolate whatever difference exists between 2 ajax posts appreciated.
working code , request headers
$.ajax({ url: url, type: "post", data: $("#myform").serialize(), cache: false, success: function (response) { } }); accept:*/* accept-encoding:gzip, deflate accept-language:en-us,en;q=0.8 connection:keep-alive content-length:621 content-type:application/x-www-form-urlencoded; charset=utf-8 host:www.xxx.yyy.zzz origin:http://www.xxx.yyy.zzz referer:http://www.xxx.yyy.zzz/app/resource/path user-agent:mozilla/5.0 (windows nt 6.1; wow64) applewebkit/537.36 (khtml, gecko) chrome/42.0.2311.135 safari/537.36 x-requested-with:xmlhttprequest failing code , request headers
$.ajax({ url: url, type: "post", data: data, cache: false, success: function (data, status, xhr) { } }); warn: provisional headers shown accept:*/* content-type:application/x-www-form-urlencoded; charset=utf-8 origin:http://www.xxx.yyy.zzz referer:http://www.xxx.yyy.zzz/app/resource/item/1 user-agent:mozilla/5.0 (windows nt 6.1; wow64) applewebkit/537.36 (khtml, gecko) chrome/42.0.2311.135 safari/537.36 x-requested-with:xmlhttprequest i have looked @ network process in chrome chrome://net-internals/#events viewer. here event log failed request @ point deviates successful one. failed request gets "http/1.1 401 unauthorized" successful request gets "http/1.1 200 ok" response, presumably due presence of connection: keep-alive header.
2303: url_request start time: 2015-04-28 13:53:41.788 t=14736 [st= 0] +request_alive [dt=71] t=14736 [st= 0] url_request_delegate [dt=0] t=14736 [st= 0] +url_request_start_job [dt=70] --> load_flags = 2688000 (bypass_data_reduction_proxy | maybe_user_gesture | report_raw_headers | verify_ev_cert) --> method = "post" --> priority = "low" --> upload_id = "0" --> url = "http://..." t=14736 [st= 0] url_request_delegate [dt=0] t=14736 [st= 0] http_cache_get_backend [dt=0] t=14736 [st= 0] url_request_delegate [dt=0] t=14736 [st= 0] +http_stream_request [dt=0] t=14736 [st= 0] http_stream_request_bound_to_job --> source_dependency = 2305 (http_stream_job) t=14736 [st= 0] -http_stream_request t=14736 [st= 0] +http_transaction_send_request [dt=0] t=14736 [st= 0] http_transaction_send_request_headers --> post ... http/1.1 host: www.xxx.yyy.zzz connection: keep-alive content-length: 105 accept: */* origin: http://www.xxx.yyy.zzz user-agent: mozilla/5.0 (windows nt 6.1; wow64) applewebkit/537.36 (khtml, gecko) chrome/42.0.2311.135 safari/537.36 x-requested-with: xmlhttprequest content-type: application/x-www-form-urlencoded; charset=utf-8 referer: http://www.xxx.yyy.zzz/app/resource/item/1 accept-encoding: gzip, deflate accept-language: en-us,en;q=0.8 t=14736 [st= 0] http_transaction_send_request_body --> did_merge = true --> is_chunked = false --> length = 105 t=14736 [st= 0] -http_transaction_send_request t=14736 [st= 0] +http_transaction_read_headers [dt=0] t=14736 [st= 0] http_stream_parser_read_headers [dt=0] t=14736 [st= 0] http_transaction_read_response_headers --> http/1.1 401 unauthorized content-type: text/html server: microsoft-iis/7.5 www-authenticate: negotiate www-authenticate: ntlm x-powered-by: asp.net x-ua-compatible: ie=9 date: tue, 28 apr 2015 18:53:41 gmt content-length: 1293 edit
playing around different request console gives following table of results (under chrome). current base url http://ipaddress /app/topic/item , test execute $.ajax({ url: url, type: 'post' })
+--------------------------------------+----------------------------+ | url | response | +--------------------------------------+----------------------------+ | http://ip/app/topic/item/1/subitem/1 | net::err_invalid_handle | | //ip/app/topic/item/1/subitem/1 | net::err_invalid_handle | | /app/topic/item/1/subitem/1 | net::err_invalid_handle | | 1/subitem/1 | net::err_invalid_handle | | 1/foo | 404 (not found) [expected] | | 1 | 302 (redirect) [expected] | +--------------------------------------+----------------------------+ because error only affects subset of post action methods in 1 controller, had thought server-side issue, after uncovering issue of missing connection header, appear client-side issue. how problem triggered remains mystery me.
i did verify response headers working page , problematic page same. relevant, persistent-auth: true header returned in both cases.
some wild guesses:
this happens when request role not in claims of logged-in user. verify that, if you're using
[authorize(roles = "xyz")], current user has role.it not clear if application uses cookie authentication. if yes, should see request. setting
withcredentials: trueeach request?
Comments
Post a Comment