401 Precedes 200
Well I am no expert on Authentication and authorization mechanisms that IIS offers but what I learnt when I put our ASP.NET app under the scanner was fascinating.
For one of the internal apps that I was preparing to run some performance tests on, I was trying to capture some web tests using Fiddler. Since this page has quite a few AJAX calls, Fiddler, with its built in ability to save Requests as web tests was an ideal fit.
After capturing the traffic for a couple of seconds, Fiddler window looked like:
Status |
URL |
401 |
/VROOT/ReportImage.aspx?executionId=abc |
401 |
/VROOT/ReportImage.aspx?executionId=abc |
200 |
/VROOT/ReportImage.aspx?executionId=abc |
401 |
/VROOT/ReportImage.aspx?executionId=xyz |
401 |
/VROOT/ReportImage.aspx?executionId=xyz |
200 |
/VROOT/ReportImage.aspx?executionId=xyz |
.. |
.. |
.. |
.. |
As you would notice, for each resource being requested by the client, IIS Server was sending atleast two 401 before sending a success 200. That got me thinking that probably something wasn't right in the way the code was handling those requests or probably a misconfiguration on IIS Server itself. While doing some digging around, found the following articles which explain the mysterious 401's
Explained: Windows Authentication in ASP.NET 2.0
Integrated Windows Authentication (IIS 6.0)
Kerberos explained: https://msdn2.microsoft.com/en-us/library/aa374743.aspx
In case you really have run into a 401, you might want to check: https://support.microsoft.com/kb/907273