asp.netinternet-exploreriisntlmformsauthentication

Mixing NTLM with Forms Authentication in IE (Empty POST issue)


Our ASP.NET application is hosted in IIS 7.5 and has the following setup:

Main app (1) has Anonymous Authentication enabled along side Forms Authentication (url: siteurl/loginform). Second app (2) has Integrated Authentication (NTLM).

The login procedure works as following:

  1. User goes to siteurl first
  2. User gets redirected to /Intranet to check integrated auth
  3. If integrated is accepted user gets redirected back with proper auth cookies to siteurl and gets access to the site
  4. If integrated fails user gets redirected to siteurl/loginForm to manually fill in credentials

We have some issues with Internet Explorer (8, 9, 10) that refuses to submit the form data at step 4. It appears to be a known behavior that IE will not POST content to an unauthenticated site once the NTLM negotiation started for that session. I have considered some workarounds for this:

  1. store credentials in a cookie (with JS) and on the server if the POST content has 0 length try to check the cookie values. delete the cookie afterwards
  2. send credentials using GET instead of POST (ugly as we need to make sure the user does not see his just posted password in the browser address bar)
  3. Provide a link to the user to open a new tab and continue the auth process in a separate browser session (this seems to work as IE will happily send POST data from a second tab)

Are there any other options we might have to get around this issue? From the above 3 which one would be preferable and what unconsidered pitfalls we might encounter?


Solution

  • I wrote about this issue here: http://blogs.msdn.com/b/ieinternals/archive/2010/11/22/internet-explorer-post-bodies-are-zero-bytes-in-length-when-authentication-challenges-are-expected.aspx

    Your question omits important information which makes it hard to troubleshoot. You should never see the problem described with the literal URLs you've used, because IE uses protection spaces to decide whether a site is going to demand credentials via a HTTP/401 and example.com/ and example.com/foo/ are different protection spaces.

    It would be very helpful if you could share a Fiddler log of this scenario for better troubleshooting.