根除401“未授权".响应后跟200的“确定".回应 [英] Eradicating 401 "Unauthorised" responses followed by 200 "Ok" responses
问题描述
我遇到了一个大型内部公司基于Web的应用程序的情况,该应用程序在IIS6上运行ASP.NET 3.5,生成401个未授权"响应,然后生成200个确定"响应(由Fiddler概述).我知道发生这种情况的原因(集成身份验证强制浏览器重新发送凭据),但我正在寻找有关如何最大程度地减少或消除这种情况的想法.有问题的应用程序在WAN中运行,某些用户的等待时间最长为250ms,因此强制后续请求可能会对页面加载时间产生显着影响,尤其是在页面上有许多级联的下拉列表时. /p>
应用程序的用户在托管桌面环境中是内部的,因此从部署的角度来看,可以强制浏览器在第一个请求上发送凭据的机制(甚至可以吗?).这将适用于需要用户身份的页面,但适用于不需要身份验证的资源(WebResource.axd,ScriptResource.axd和某些自定义Web服务),则可以进行匿名身份验证.我看过在web.config中按位置定义此定义,但结果好坏参半(仍然有401个响应).
对于处理这种情况的最佳做法"的任何指导,我将不胜感激.有很多资源可以识别问题,但我发现没有资源可以提供可行的解决方案.
谢谢!
不需要身份验证的资源(即用于级联下拉列表的Web服务)可以通过在Web配置中添加位置条目来匿名请求,但是我还没有找到经过身份验证的资源的答案.
不幸的是,这是
The users of the application are internal within a managed desktop environment so mechanisms to force the browser to send credentials on the first request (is this even possible?) could be possible from a deployment perspective. This would work for pages requiring the user’s identity but for resources not requiring authentication (WebResource.axd, ScriptResource.axd and some custom web services), allowing anonymous auth would be possible. I’ve looked at defining this on a per location basis in the web.config but the results were mixed (still a number of 401 responses). I’d appreciate any guidance on a "best practice" for dealing with this situation. There are a lot of resources out there identifying the problem but none that I’ve found providing a feasible solution. Thanks! Edit: Resources not requiring authentication (i.e. web services used for cascading drop down lists) can be requested anonymously through adding a location entry to the web config but I'm yet to find an answer for authenticated resources. Unfortunately this is an artifact of the HTTP NTLM authentication scheme. In short, the browser (Internet Explorer or otherwise) doesn't know that it needs to authenticate at all until it gets bounced with a 401 response containing a In the case of I think your best bet would be to maximize the amount of time that persistent connections are left open when idle. 这篇关于根除401“未授权".响应后跟200的“确定".回应的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!WWW-Authenticate response header.WWW-Authenticate: NTLM -- annoyingly enough -- it requires two 401 responses on a single persistent connection to complete, and this process must be repeated once the HTTP persistent connection is closed. So even if you were able to get the browser to initiate a request blindly attempting NTLM, at least one 401 response cannot be removed from the transaction.
