Home/ Questions/Q 7728703
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-01T05:47:07+00:00

I have a following configuration: IIS 7.5 Website A – Authentication: all options disabled,

  • 0

I have a following configuration:

  • IIS 7.5
  • Website A – Authentication: all options disabled, only windows
    authentication enabled.
  • Application B (as a sub web application of A): Authentication: Anonymous enabled, Basic enabled, windows authentication disabled.

Both applications running ASP.NET 4, separate application pools, classic mode.

Now, the application B has this odd behavior I noticed in Fiddler.
For each request of an aspx page, it shows two entries:
First request:

GET https://example.com/page.aspx HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: https://example.com/
Accept-Language: en-GB
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E; Zune 4.7)
Cookie: ASP.NET_SessionId=123456789
Accept-Encoding: gzip, deflate
Host: example.com
Authorization: NTLM DFGHJKLDRFGHNXAAAAA==
Connection: Keep-Alive
Cache-Control: no-cache
Content-Length: 0

As a response, I’m getting a 401. Then, a second request is made for the same resource:

GET https://example.com/page.aspx HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: https://example.com/
Accept-Language: en-GB
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E; Zune 4.7)
Authorization: Basic ZXVyasdasdasdasdasdasd=
Accept-Encoding: gzip, deflate
Host: example.com
Connection: Keep-Alive
Cache-Control: no-cache
Content-Length: 0
Cookie: ASP.NET_SessionId=lasdasdasdasdasdasdasd

The second one is ok with status 200 .

The difference is in the “Authorization” line, the first one shows NTLM (giving 401 access denied) sometimes causes unexpected behavior of javascripts, e.g. with update panels (Sys.WebForms.PageRequestManagerParserErrorException).

What am I missing? How to setup IIS (or webapp) not to make this first “NTLM” request?
Thank you for your help.

Edit: another interesting issue I’ve noticed: in the same environment, I have a second set of these applications (just bound to another database). In this set the application A has anonymous authentication enabled, forms enabled, and windows disabled. App B has the same settings as in the first set. In this case, there are no failed requests (401). Everything running smoothly.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Looks like the problem is solved. Since the site was added as an intranet site in IE, and the automatic logon for intranet zone has been turned on, the corporate domain machines tried the NTLM authentication first. That is where the NTLM request came from – and since windows auth was disabled in IIS, it delivered wrong response.

    • 0