0

I'm attempting allow/restrict website intranet users access based on Active Directory permissions.

I thought we'd reached our objective (authentication without domain sign-on prompt) until I discovered that pages (or even text files) accessed via our popular browsers Chrome/IE11/Firefox result in three requests for the same asset, two which of which fail with a 401 response code.

Capturing this with Charles Proxy it would look as such:

  1. HTTP/1.1 401 Unauthorized HTTP Error 401. The requested resource requires user authentication
  2. HTTP/1.1 401 Unauthorized 401 - Unauthorized: Access is denied due to invalid credentials
  3. HTTP/1.1 200 OK

The specifics of these requests/responses can be seen here: http://pastebin.com/raw.php?i=3iBiGqHc

These happen in rapid succession, as if the browser is attempting retires. The resolution isn't sticky, and the browser will continue to request files in triplicate.

Are we missing a configuration setting somewhere?

PHP 5.6.9, IIS 7.5, Windows Server 2008 R2 SE SP1

user5398664
  • 103
  • 3

1 Answers1

0

I think this is just how it works.

The 401 response is what tells the browser to provide credentials in scenarios other than mutual certificate authentication over TLS.

Falcon Momot
  • 24,975
  • 13
  • 61
  • 92
  • Triplicate requests would be most unfortunate; hopefully this isn't the case -- – user5398664 Oct 01 '15 at 22:34
  • Found [this graphic](http://www.scip.be/ImagesScreenshots/ArticleWebAPI%20-%20WIA2.png) that might very well speak to your point: (from [http://www.scip.be/index.php?Page=ArticlesNET38](http://www.scip.be/index.php?Page=ArticlesNET38)) – user5398664 Oct 01 '15 at 23:54
  • Yeah that is how it works. – Falcon Momot Oct 02 '15 at 00:40