IE10 & IE11 upload fail not sending POST data

Question

I am trying to POST a multipart/form-data that has hidden fields and a file and the transmission hangs.

Web Server: Windows 2012 server, running IIS 8.0.

Authentication: Windows enabled (Negotiate & NTLM)

Client: Windows 2008 Server /Windows 2012 Server (localhost) Internet Explorer 10.0.12 both have the same problem

I have a CGI running on the web server and I check to ensure that it is available and responds, then I make a JQuery Ajax request to send the POST data. Using Fiddler I watched the web server and the browser communicate (below). It hangs on the last request, it shows a Content-Length of 500, but there is no data. It seems like IE is waiting to send it(?).

In Fiddler you can modify the data before a response is sent. I tried this and it will not allow editing. It seems like it is still waiting on IE to keep sending. I tried turning Windows Authentication off and turned on Anonymous and I have no issues. Furthermore on the very 1st request I can not reproduce the issue (it works as expected) but on subsequent request it is consistent. No issues with Chrome, Firefox, or IE9 and earlier. I cannot determine if it is the browser or the web server.

Request 1 CGI check

POST http://www.example.com/test/mycgi.exe/ABC HTTP/1.1
X-Requested-With: XMLHttpRequest
Accept: */*
Referer: http://www.example.com/test/mycgi2.exe/ABC
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Connection: Keep-Alive
Content-Length: 0
DNT: 1
Host: www.example.com
Pragma: no-cache

HTTP/1.1 401 Unauthorized
Content-Type: text/html
Server: Microsoft-IIS/8.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Fri, 03 Jan 2014 20:29:28 GMT
Content-Length: 1293
Proxy-Support: Session-Based-Authentication

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>401 - Unauthorized: Access is denied due to invalid credentials.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;} 
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;} 
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} 
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
 <div class="content-container"><fieldset>
  <h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2>
  <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
 </fieldset></div>
</div>
</body>
</html>

---

POST http://www.example.com/test/mycgi.exe/ABC HTTP/1.1
X-Requested-With: XMLHttpRequest
Accept: */*
Referer: http://www.example.com/test/mycgi2.exe/ABC
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Connection: Keep-Alive
Content-Length: 0
DNT: 1
Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
Pragma: no-cache
Host: www.example.com


HTTP/1.1 401 Unauthorized
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: Negotiate TlRMTVNTUAACAAAAEgASADgAAAAVgoniOb3rEHzeNj0AAAAAAAAAAJwAnABKAAAABgLwIwAAAA9MAFIAUwBEAE8ATQBBAEkATgACABIATABSAFMARABPAE0AQQBJAE4AAQAUAFcASQBOAC0AUQBBADIAMAAxADIABAAUAGwAcgBzAGkAbgBjAC4AbwByAGcAAwAqAFcASQBOAC0AUQBBADIAMAAxADIALgBsAHIAcwBpAG4AYwAuAG8AcgBnAAUAFABsAHIAcwBpAG4AYwAuAG8AcgBnAAcACABOH1yAwgjPAQAAAAA=
Date: Fri, 03 Jan 2014 20:29:28 GMT
Content-Length: 341
Proxy-Support: Session-Based-Authentication

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Not Authorized</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Not Authorized</h2>
<hr><p>HTTP Error 401. The requested resource requires user authentication.</p>
</BODY></HTML>

---

POST http://www.example.com/test/mycgi.exe/ABC HTTP/1.1
X-Requested-With: XMLHttpRequest
Accept: */*
Referer: http://www.example.com/test/mycgi2.exe/ABC
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Connection: Keep-Alive
Content-Length: 0
DNT: 1
Host: www.example.com
Pragma: no-cache
Authorization: Negotiate TlRMTVNTUAADAAAAGAAYAJgAAABEAUQBsAAAABIAEgBYAAAAEAAQAGoAAAAeAB4AegAAABAAEAD0AQAAFYKI4gYBsR0AAAAPuaPj4eFf7hfIoOiAvf0/xWwAcgBzAGQAbwBtAGEAaQBuAGMAcgBhAHcAZgBvAHIAZABXAEkATgAtAEIARAA3ADUANgBJAFAANgA0AE8ARwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAdKgld6FBtRxfUcAQJS6yPAQEAAAAAAABOH1yAwgjPAQcXz+RFuDKzAAAAAAIAEgBMAFIAUwBEAE8ATQBBAEkATgABABQAVwBJAE4ALQBRAEEAMgAwADEAMgAEABQAbAByAHMAaQBuAGMALgBvAHIAZwADACoAVwBJAE4ALQBRAEEAMgAwADEAMgAuAGwAcgBzAGkAbgBjAC4AbwByAGcABQAUAGwAcgBzAGkAbgBjAC4AbwByAGcABwAIAE4fXIDCCM8BBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAAEa6q+B5Lu1yFWYA3Wkqf+iAxY/qnzwZi2pgk0t1XqKNCgAQAAAAAAAAAAAAAAAAAAAAAAAJACAASABUAFQAUAAvADEAMAAuADkANgAuADgALgAxADgANgAAAAAAAAAAAAAAAADYL8orn+roxnPVhMNa1G0w

HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
Persistent-Auth: true
X-Powered-By: ASP.NET
Date: Fri, 03 Jan 2014 20:29:28 GMT
Connection: close
Content-Length: 0

---

Request 2 POST with data and file

POST http://www.example.com/test/mycgi.exe/ABC?trid=pxupld HTTP/1.1
X-Requested-With: XMLHttpRequest
Accept: */*
Content-Type: multipart/form-data; boundary=---------------------------7dd3c817903dc
Referer: http://www.example.com/test/mycgi2.exe/ABC
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Host: www.example.com
DNT: 1
Connection: Keep-Alive
Pragma: no-cache
Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
Content-Length: 0

HTTP/1.1 401 Unauthorized
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: Negotiate TlRMTVNTUAACAAAAEgASADgAAAAVgonioR3IHBVFoYwAAAAAAAAAAJwAnABKAAAABgLwIwAAAA9MAFIAUwBEAE8ATQBBAEkATgACABIATABSAFMARABPAE0AQQBJAE4AAQAUAFcASQBOAC0AUQBBADIAMAAxADIABAAUAGwAcgBzAGkAbgBjAC4AbwByAGcAAwAqAFcASQBOAC0AUQBBADIAMAAxADIALgBsAHIAcwBpAG4AYwAuAG8AcgBnAAUAFABsAHIAcwBpAG4AYwAuAG8AcgBnAAcACABzQ2OAwgjPAQAAAAA=
Date: Fri, 03 Jan 2014 20:29:28 GMT
Content-Length: 341
Proxy-Support: Session-Based-Authentication

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Not Authorized</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Not Authorized</h2>
<hr><p>HTTP Error 401. The requested resource requires user authentication.</p>
</BODY></HTML>

---

POST http://www.example.com/test/mycgi.exe/ABC?trid=pxupld HTTP/1.1
X-Requested-With: XMLHttpRequest
Accept: */*
Content-Type: multipart/form-data; boundary=---------------------------7dd3c817903dc
Referer: http://www.example.com/test/mycgi2.exe/ABC
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Host: www.example.com
Content-Length: 500
DNT: 1
Proxy-Connection: Keep-Alive
Pragma: no-cache
Authorization: Negotiate TlRMTVNTUAADAAAAGAAYAJgAAABEAUQBsAAAABIAEgBYAAAAEAAQAGoAAAAeAB4AegAAABAAEAD0AQAAFYKI4gYBsR0AAAAPbaRPHPhdB+KO+QMFMSieX2wAcgBzAGQAbwBtAGEAaQBuAGMAcgBhAHcAZgBvAHIAZABXAEkATgAtAEIARAA3ADUANgBJAFAANgA0AE8ARwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUat4cr34A16p/u9YeXYBAAQEAAAAAAABzQ2OAwgjPAVb+mEX8/lPwAAAAAAIAEgBMAFIAUwBEAE8ATQBBAEkATgABABQAVwBJAE4ALQBRAEEAMgAwADEAMgAEABQAbAByAHMAaQBuAGMALgBvAHIAZwADACoAVwBJAE4ALQBRAEEAMgAwADEAMgAuAGwAcgBzAGkAbgBjAC4AbwByAGcABQAUAGwAcgBzAGkAbgBjAC4AbwByAGcABwAIAHNDY4DCCM8BBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAAEa6q+B5Lu1yFWYA3Wkqf+iAxY/qnzwZi2pgk0t1XqKNCgAQAAAAAAAAAAAAAAAAAAAAAAAJACAASABUAFQAUAAvADEAMAAuADkANgAuADgALgAxADgANgAAAAAAAAAAAAAAAAAQcolcJBPzOWjm8V7iJiki

---

hang waiting for data I presume, any ideas?

Answer 1

What is happening is this.

1. You request a page from IIS.
2. IIS says "No, you have to authenticate (401). I take Negotiate and/or NTLM." (In the default configuration with Windows Auth turned on)
3. IE sends authentication headers along with your request and IIS happily sends back your page.
4. IE attaches the authentication to the TCP connection it used so it doesn't have to authenticate to IIS again.
5. You wait around, and IE gets bored with you and closes the TCP connection it was holding open (See the Keep-Alive header. And don't turn keep-alives off.). All of your juicy Windows Authentication goes away when the TCP connection is closed.
6. You finally do something that triggers an XHR POST of some binary payload or multipart/form-data.
7. IE goes through the Windows Authentication exchange all over on a new TCP connection.
8. IE screws up and submits your post but fails to along send the data. It just stops and doesn't do it. In the case of multipart/form-data, the client and the server get into a game of chicken, each waiting for the other to do something and IE hangs. For other mime types, I've noticed IIS sending back a 408 and not hanging.

Workaround: Send a GET or a HEAD request to IIS. IE will authenticate on that request. Once that completes, send your POST. IE will recycle the TCP connection from the GET or HEAD request (and its juicy Windows Authentication data) for your POST, and send your data correctly.