thready
asked on
NTLM in ajax calls
Hi Experts,
I just noticed that the browser doesn't take over the 401 responses that we get in ajax when NTLM is expected with the server. To be more precise - it looks like I need to implement NTLM in ajax myself? Is there an easy way to do this?
Thanks!
Mike
I just noticed that the browser doesn't take over the 401 responses that we get in ajax when NTLM is expected with the server. To be more precise - it looks like I need to implement NTLM in ajax myself? Is there an easy way to do this?
Thanks!
Mike
ASKER
Well, I've implemented NTLM in an http server. It works fully when you navigate to a site it serves up when you enter the site on the browser address field. But when you make similar requests through xhr (which also happen to be cross domain), they don't authenticate.
I'm going to see if non-cross domain calls will authenticate first to see if it's something to do with the CORS headers.
I'm going to see if non-cross domain calls will authenticate first to see if it's something to do with the CORS headers.
ASKER
By the way, the CORS code worked fine before I added the NTLM functionality to the server...
> Well, I've implemented NTLM in an http server.
on an IIS website over HTTP? is the IIS a member of domain?
> when you make similar requests through xhr (which also happen to be cross domain), they don't authenticate.
in my understanding, for NTLM authentication, basically it depends on the NTFS permissions of the pages/files to allow or deny the users' HTTP requests. therefore, for requests across domain, they will be denied as the files on NTFS not permitted to be accessed.
on an IIS website over HTTP? is the IIS a member of domain?
> when you make similar requests through xhr (which also happen to be cross domain), they don't authenticate.
in my understanding, for NTLM authentication, basically it depends on the NTFS permissions of the pages/files to allow or deny the users' HTTP requests. therefore, for requests across domain, they will be denied as the files on NTFS not permitted to be accessed.
ASKER
But it's not IIS - it's our own web server code from an open source project (C# webserver)... Which does work for normal browser address bar style requests...
> Well, I've implemented NTLM in an http server.
>> But it's not IIS - it's our own web server code ...
your "implemented" does mean "implemented", i thought it just meant "deployed". :-))
where are the web pages physically located? still on a NTFS partition of Windows?
>> But it's not IIS - it's our own web server code ...
your "implemented" does mean "implemented", i thought it just meant "deployed". :-))
where are the web pages physically located? still on a NTFS partition of Windows?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It's the solution!
of technologies of HTML, CSS, DCOM and JavaScript to dynamically display for and interact with users. sepcifically, JavaScript and the XMLHttpRequest object provide a method for exchanging data asynchronously between browser and server to avoid full page reloads.
therefore, basically NTLM has nothing to do Ajax itself, it may be related to HTTP request if NTLM authentication is required.
if the web server is IIS, you may enable Integrated Windows Authentication to allow NTLM authentication over HTTP. from Ajax programming side, nothing you can do specifically for NTLM authentication.
however, be aware although you won't be exposing credentials in cleartext using NTLM over HTTP, you will be exposing everything else, so the afterward HTTP traffic won't be secure from confidentiality or integrity breaches.