Windows authentication multiple requests

Question

I am using Windows Authentication to secure ASP.NET MVC5 application.

Everything works ok, I'm prompted to enter credentials via browser popup, and content it served properly.

However I do notice constantly that some requests are being sent 2 times, or more, with receiving 401 (Unauthorized) code, but shortly after requests are issued again and 200 (OK) is returned.

I assume that is part of negotiation with WWW-Authenticate and Authorize requests headers, but what is unclear to me is why this has to happen all the time even though credentials were supplied at the very start?

Is this normal behavior? If not, how can it be fixed? If yes, is it a big performance hit?

Attached is the combined screenshot of Fiddler and Firefox developer console.

Answer 1

What you are experiencing is the normal behavior. Here is a (very) short description of how the authentication works:

1. Request is sent to server (without credentials) => not authenticated (your first request)
2. Server responds with 401 (Access denied)
3. Browser gets error and sends credentials back => authenticated (your second request)

After the 3rd step, if the server has not received the requested credentials, it sends another 401 response and the browser displays the 401 error page. A more complete description can be found here.