Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Avoiding 401 response for each request using NTLM

We have here an asp.net 3.5 application using NTLM based windows authentication. The system runs on a private network that actually distributed over different geographic places (connected via VPN).

We are now trying to optimize the website's performance. Because the way NTLM works, every new request to the IIS is composed with 3 different requests while the first 2 is 401 responses. We are trying to minimize the amount of these requests to be only at the beginning of the session. We found this solution. Unfortunately it didn't change anything and we keep getting this 401 response (which consumes time).

In order to see the traffic i first used the Fiddler app. Somehow, when I use Fiddler, there is only 1 authentication process at the beginning of the session (exactly as I wish), but when I close Fiddler and check the traffic via WireShark I can see that I still have this 401 response for each request.

The used clients are IE6, IIS version 6.

Can someone advise?

like image 761
Satumba Avatar asked Aug 03 '09 13:08

Satumba


People also ask

What is the difference between Negotiate and NTLM?

Negotiate authentication automatically selects between the Kerberos protocol and NTLM authentication, depending on availability. The Kerberos protocol is used if it is available; otherwise, NTLM is tried. Kerberos authentication significantly improves upon NTLM.

Should NTLM be used?

Current applications. NTLM authentication is still supported and must be used for Windows authentication with systems configured as a member of a workgroup. NTLM authentication is also used for local logon authentication on non-domain controllers.

What still uses NTLM?

Applications That Use NTLM NTLM was replaced as the default authentication protocol in Windows 2000 by Kerberos. However, NTLM is still maintained in all Windows systems for compatibility purposes between older clients and servers.


2 Answers

NTLM/Negotiate, unlike all other HTTP authentication schemes, are connection-oriented protocols.

In IIS, there are various settings which control whether authentication will be demanded for all requests on a previously authenticated connection (e.g. AuthPersistSingleRequest). Independent of that setting, I believe IIS will automatically demand re-authentication when making a POST request.

If your server is impairing connection reuse (e.g. by sending a Connection: close header in responses) you must fix that because otherwise the reauthentication will occur. You can easily check for such authentication-reuse foiling headers using Fiddler.

like image 119
EricLaw Avatar answered Sep 23 '22 10:09

EricLaw


The only way is to use NTLM on login page only and use cookie like here

like image 41
Viktor Jevdokimov Avatar answered Sep 21 '22 10:09

Viktor Jevdokimov