ajax post to SharePoint web services interrupted by ntlm challenges

Question

I've got a web part that uses javascript heavily in the implementation of a UI. It also makes use of asynchronous XmlHttpRequest requests to some of the SharePoint web services (I'm using SPServices, btw).

For some requests, the user is confronted with NTLM authentication challenges, and after entering credentials, the request completes. This happens 3 times on one page load, although there are more than 3 requests. There are several things about this that I find confusing:

• as I said, not all requests have this problem
• the user has already accessed the site with NTLM authentication, so why do the ajax requests get challenged?
• This is in a Windows domain environment. In a non-domain environment, this problem does not exist (although Windows auth is being used in both).

Of course, all of this is in IE. One thing I tried was to insert the NTLM authentication header into the ajax request, but that didn't change anything (I didn't really think it would, but it was worth a try).

Any suggestions?

Answer 1

It should not be this way. Windows auth is per-process and, if you are already authenticated, you remain authenticated when you load something again, does not matter if it is the browser's main connection or an XHR request.

I have seen this strange behavior in one of our test servers. In that case, also WebDAV access to SharePoint was broken and some times you could not access the \\sharepointserver\sites\somesite paths (but some minutes later you could do it again). It seemed that there was somehing wrong with Kerberos authentication in that case and that wrong tokens were issued sometimes. However, we didn't solve that, just installed a new server and attached content databases to it. That worked :-)

Answer 2

This problem is due to the HTTP1.1 session timeout. When you first login to your NTLM authenticated site, a HTTP session is open. This session is authenticated, and every request you made while this session is open, will be automatically authenticated with the NTLM token of the session. Now when you make the XmlHttpRequest, if the HTTP session is still open then your request doesn't ask for any authentication because it is allready. But if the session expire or close for one way or another. Then you will be prompted for loggin. To better understand that just make a quick search for HTTP1.1 protocol and you'll better see what I'm talking about.

Answer 3

Use: transport clientCredentialType="Windows"

Check http://msdn.microsoft.com/en-us/library/bb226411(BTS.20).aspx for more info

Answer 4

Internet Explorer remembers if it has NTLM-authenticated to a given site. If it is ever asked to POST to that site, it will expect the site to re-authenticate it. If the site doesn't, the browser won't send any details in the body of the post.