Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

NTLM in ajax calls

Posted on 2014-04-23
8
Medium Priority
?
2,424 Views
Last Modified: 2014-05-03
Hi Experts,

I just noticed that the browser doesn't take over the 401 responses that we get in ajax when NTLM is expected with the server.  To be more precise - it looks like I need to implement NTLM in ajax myself?  Is there an easy way to do this?

Thanks!
Mike
0
Comment
Question by:thready
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 37

Expert Comment

by:bbao
ID: 40019369
Ajax is not a single technology, but a group
of technologies of HTML, CSS, DCOM and JavaScript to dynamically display for and interact with users. sepcifically, JavaScript and the XMLHttpRequest object provide a method for exchanging data asynchronously between browser and server to avoid full page reloads.

therefore, basically NTLM has nothing to do Ajax itself, it may be related to HTTP request if NTLM authentication is required.

if the web server is IIS, you may enable Integrated Windows Authentication to allow NTLM authentication over HTTP. from Ajax programming side, nothing you can do specifically for NTLM authentication.

however, be aware although you won't be exposing credentials in cleartext using NTLM over HTTP, you will be exposing everything else, so the afterward HTTP traffic won't be secure from confidentiality or integrity breaches.
0
 
LVL 1

Author Comment

by:thready
ID: 40020373
Well, I've implemented NTLM in an http server.  It works fully when you navigate to a site it serves up when you enter the site on the browser address field.  But when you make similar requests through xhr (which also happen to be cross domain), they don't authenticate.

I'm going to see if non-cross domain calls will authenticate first to see if it's something to do with the CORS headers.
0
 
LVL 1

Author Comment

by:thready
ID: 40020376
By the way, the CORS code worked fine before I added the NTLM functionality to the server...
0
Build and deliver software with DevOps

A digital transformation requires faster time to market, shorter software development lifecycles, and the ability to adapt rapidly to changing customer demands. DevOps provides the solution.

 
LVL 37

Expert Comment

by:bbao
ID: 40020436
> Well, I've implemented NTLM in an http server.

on an IIS website over HTTP? is the IIS a member of domain?

> when you make similar requests through xhr (which also happen to be cross domain), they don't authenticate.

in my understanding, for NTLM authentication, basically it depends on the NTFS permissions of the pages/files to allow or deny the users' HTTP requests. therefore, for requests across domain, they will be denied as the files on NTFS not permitted to be accessed.
0
 
LVL 1

Author Comment

by:thready
ID: 40020486
But it's not IIS - it's our own web server code from an open source project (C# webserver)...  Which does work for normal browser address bar style requests...
0
 
LVL 37

Expert Comment

by:bbao
ID: 40020524
> Well, I've implemented NTLM in an http server.
>> But it's not IIS - it's our own web server code ...

your "implemented" does mean "implemented", i thought it just meant "deployed". :-))

where are the web pages physically located? still on a NTFS partition of Windows?
0
 
LVL 1

Accepted Solution

by:
thready earned 0 total points
ID: 40026039
I figured it out- the server side code did handle normal address bar requests because the browser implements that.  However, it seems the browser does go through entirely different code when calls come from ajax - particularly calls from ajax that are cross domain.  The solution was to add the correct server side headers for CORS and in addition, use the extra parameter in ajax stating, "use-credentials" if I remember correctly.  Very tricky actually - at the very least - 3 separate variables preventing all this from working in the normal way...

Thanks for trying - there was a lot more involved than I described in my question- the cost of trying to pinpoint problems...
0
 
LVL 1

Author Closing Comment

by:thready
ID: 40039039
It's the solution!
0

Featured Post

Build and deliver software with DevOps

A digital transformation requires faster time to market, shorter software development lifecycles, and the ability to adapt rapidly to changing customer demands. DevOps provides the solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I found this questions asking how to do this in many different forums, so I will describe here how to implement a solution using PHP and AJAX. The logical flow for the problem should be: Write an event handler for the first drop down box to get …
Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question