views:

490

answers:

3

Is there a way to determine if a browser supports NTLM without having NTLM enabled for the particular site or directory in IIS and without showing a login dialog/pop-up? Preferably, determine this using ColdFusion or perhaps some combination of JS and CF. I'd prefer not to restrict this to just IE as other browsers (such as FF) support NTLM authentication.

+4  A: 

If you request a page and the page returns 401 and says it only accepts NTLM, and then the browser sends another HTTP packet trying to respond to it, then it supports NTLM. You don't have to make IIS do this -- you could have any page where you can set the response codes and headers request NTLM. If you don't get another request, it means that the client couldn't authenticate this way.

You could detect this on the client by putting this request in an IFrame, then in the outer page checking to see what happened in the iframe.

Lou Franco
I tried doing this, but unfortunately the browser still asks for credentials. Which kind of ruins the transparency of the whole thing. Basically, I don't want any logins other than transparent NTLM authentication. Is there anyway to suppress this default behavior?I tried Steve's suggestion, too, but it seems using that technique has the CF server sending the data and it is no longer passing in the data from the client. This results in a constant 401 response.
illvm
Did you see what happens if you try to make an XMLHTTPRequest?
Lou Franco
I would also try to see what happens with other ways of forcing an HTTP request to be made (img, script, link, etc tags). Maybe there's one that the browser will silently fail (and not pop-up).
Lou Franco
XMLHTTPRequest would work for Firefox, but not IE. In Firefox you can make XHTTPRs run int he background and suppress the pop-ups, but as far as I am aware there is no way of doing it in IE, or any other browser. I tried using img, script, and link tags including dynamically building them at run time. No luck so far.
illvm
Might need a combination of browser detection and these techniques -- good luck.
Lou Franco
+1  A: 

Building on Lou's answer, you could make a cfhttp request within a try/catch block. You then check the response headers to determine your next steps.

Steve -Cutter- Blades
A: 

Unfortunately, you may be forced to use browser sniffing and a white-list.

Adam Tuttle
This doesn't work unfortunately because there is no way of telling whether the browser is configured to use the particular page as a trusted source for NTLM authentication.
illvm