locked
Timer and authorization challenged during postback RRS feed

  • Question

  • User-106697909 posted

    I have a site that using windows authentication and a custom role provider and is running on Azure environment.  One of my pages has a timer that will run every minute.  I have noticed this page produces a lot of 401.2 and 401.1 entries in the server logs.  When I am actively using the page and it is posting back authorization works fine and the responses come back with 200.  When I stop using the page and the ansync postback starts running every minute from the timer, for some reason authorization is challenged.  I'm not sure what to start looking at for root cause.

    Here are some of the entries from the log file.  13:31:06 is my last action before I let the timer do its thing.  The timer just performs a database hit and posts back to the same page.

    time cs-method cs-uri-stem cs-username sc-status
    13:30:49 GET /ScriptResource.axd Domain\UserID 200
    13:30:49 GET /WebResource.axd Domain\UserID 200
    13:30:52 POST /QUE/que.aspx Domain\UserID 200
    13:30:52 GET /Images/refresh.png Domain\UserID 200
    13:30:52 GET /Images/expand.png Domain\UserID 200
    13:30:56 POST /QUE/que.aspx Domain\UserID 200
    13:30:57 POST /QUE/que.aspx Domain\UserID 200
    13:30:57 POST /QUE/que.aspx Domain\UserID 200
    13:30:58 POST /QUE/que.aspx Domain\UserID 200
    13:30:58 GET /ScriptResource.axd Domain\UserID 200
    13:30:58 GET /ScriptResource.axd Domain\UserID 200
    13:30:58 GET /ScriptResource.axd Domain\UserID 200
    13:30:58 GET /ScriptResource.axd Domain\UserID 200
    13:30:58 GET /Images/calendar.png Domain\UserID 200
    13:30:59 POST /QUE/que.aspx Domain\UserID 200
    13:30:59 GET /ScriptResource.axd Domain\UserID 200
    13:30:59 GET /QUE/~/images/DropDown.png Domain\UserID 404
    13:31:00 POST /QUE/que.aspx Domain\UserID 200
    13:31:01 POST /QUE/que.aspx Domain\UserID 200
    13:31:01 POST /QUE/que.aspx Domain\UserID 200
    13:31:03 POST /QUE/que.aspx Domain\UserID 200
    13:31:03 POST /QUE/que.aspx Domain\UserID 200
    13:31:06 POST /QUE/que.aspx Domain\UserID 200
    13:31:06 GET /Images/collapse.png Domain\UserID 200
    13:32:07 POST /QUE/que.aspx 401
    13:32:07 POST /QUE/que.aspx 401
    13:32:07 POST /QUE/que.aspx Domain\UserID 200
    13:33:08 POST /QUE/que.aspx 401
    13:33:08 POST /QUE/que.aspx 401
    13:33:08 POST /QUE/que.aspx Domain\UserID 200
    13:34:08 POST /QUE/que.aspx 401
    13:34:08 POST /QUE/que.aspx 401
    13:34:08 POST /QUE/que.aspx Domain\UserID 200
    13:35:09 POST /QUE/que.aspx 401
    13:35:09 POST /QUE/que.aspx 401
    13:35:09 POST /QUE/que.aspx Domain\UserID 200
    13:36:10 POST /QUE/que.aspx 401
    13:36:10 POST /QUE/que.aspx 401
    13:36:10 POST /QUE/que.aspx Domain\UserID 200
    13:37:11 POST /QUE/que.aspx 401
    13:37:11 POST /QUE/que.aspx 401
    13:37:11 POST /QUE/que.aspx Domain\UserID 200
    13:38:11 POST /QUE/que.aspx 401
    13:38:11 POST /QUE/que.aspx 401
    13:38:11 POST /QUE/que.aspx Domain\UserID 200
    13:39:12 POST /QUE/que.aspx 401
    13:39:13 POST /QUE/que.aspx 401
    13:39:13 POST /QUE/que.aspx Domain\UserID 200
    13:40:13 POST /QUE/que.aspx 401
    13:40:13 POST /QUE/que.aspx 401
    13:40:13 POST /QUE/que.aspx Domain\UserID 200
    13:41:13 POST /QUE/que.aspx 401
    13:41:13 POST /QUE/que.aspx 401
    13:41:13 POST /QUE/que.aspx Domain\UserID 200
    13:42:14 POST /QUE/que.aspx 401
    13:42:15 POST /QUE/que.aspx 401
    13:42:15 POST /QUE/que.aspx Domain\UserID 200
    13:43:15 POST /QUE/que.aspx 401
    13:43:15 POST /QUE/que.aspx 401
    13:43:15 POST /QUE/que.aspx Domain\UserID 200
    13:44:16 POST /QUE/que.aspx 401
    13:44:16 POST /QUE/que.aspx 401
    13:44:16 POST /QUE/que.aspx Domain\UserID 200
    13:45:17 POST /QUE/que.aspx 401
    13:45:17 POST /QUE/que.aspx 401
    13:45:17 POST /QUE/que.aspx Domain\UserID 200
    13:46:17 POST /QUE/que.aspx 401
    13:46:17 POST /QUE/que.aspx 401
    13:46:17 POST /QUE/que.aspx Domain\UserID 200
    13:47:18 POST /QUE/que.aspx 401
    13:47:18 POST /QUE/que.aspx 401
    13:47:18 POST /QUE/que.aspx Domain\UserID 200
    13:48:18 POST /QUE/que.aspx 401
    13:48:18 POST /QUE/que.aspx 401
    13:48:18 POST /QUE/que.aspx Domain\UserID 200
    13:49:19 POST /QUE/que.aspx 401
    13:49:19 POST /QUE/que.aspx 401
    13:49:19 POST /QUE/que.aspx Domain\UserID 200

    My cookie is the same for all entries.  The roles and session are sent over.  Cookies have 10 minute sliding expiration and Session has 30 minute sliding expiration so both are still valid when the timer starts posting back.

    SMMSADIDENTITY=jEtvQXVznBU3zJegOHdpIH66mkFgMmw3/DwN4qSkkll/medDu8gJgsl+MYp2aWX34R39RMvHrP1qYAe2a6x3dPnh74Qv+ZoL0jcCVpTCniTEwa+JAf4rgcgkjSQxma10D+sQCgsK5vF6T8uqu3PdThmyIq86Y9lFBpTW85/eGNWueAMhZN+loPDeOxJtt1lTbGTHbJe6+ESq4pGOhYcyqZeb5uuvTUbFZKA/RzCaWy7AhUI9LPl4oTwif+lE+iypHYT+vSIQDmMP/Us+TFSh+Jf1sNvvRU3zLMuzJDe+f/1Jhy/3h/+1wPRkFxef8OMP31fApLfBErJz0QXhXZaxWgjfhaP+bk9+2NwY3sTx0IRpxY996BnvJ6QIIQCOfEWWHLu4QRAUIdBM9mZJnEh9Of7s+t0ALhWYQfjAEDRFaoPuzk/6uvBuMo7/aZDqwqCL5GnpvjJfCR1hQKa0NcyZDkzUoGdq/QBYZsJMENF+6Ehg/aaKyjU+gOOjwm9ib1HKcHs//jAVd3BUqSqFEPyKXNTgBCQC9zb/UDp2UF6OyuMj1EocGLuEd9fMAtIr5yFy8CRCQHXB/nVPxZ005+K3rIj3oDSy3GP4AN/MWEIssbIrtSwu3uCZxT5WTzOmdWwyY9JIT3XsoDqCIwSgW0s11YVm8uU1szT90LtUht3Bel1Fkd1VTlUuNHH38FnV1A0t;+SMMSADCHALLENGE=NTC_CHALLENGE_DONE;+ARRAffinity=2b3382e259bcded79cf2fe0b059efd2c22d485b467015b81ad8ee3ca7f1cb9a6;+ASP.NET_SessionId=csvynkt2jrouemr55zldlmpk;+.ASPROLES=AAEAAAD_____AQAAAAAAAAAMAgAAAE1TeXN0ZW0uV2ViLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49YjAzZjVmN2YxMWQ1MGEzYQUBAAAAIVN5c3RlbS5XZWIuU2VjdXJpdHkuUm9sZVByaW5jaXBhbAgAAAAIX1ZlcnNpb24LX0V4cGlyZURhdGUKX0lzc3VlRGF0ZQlfSWRlbnRpdHkNX1Byb3ZpZGVyTmFtZQlfVXNlcm5hbWURX0lzUm9sZUxpc3RDYWNoZWQJX0FsbFJvbGVzAAAAAgEBAAEIDQ0BAgAAAAEAAACm-Cq_aubVSKY8illp5tVICgYDAAAADFJvbGVQcm92aWRlcgYEAAAACk1TXHNsZXNlbWEBBgUAAADjA0RPQ19MT0dJQ19PV05FUixET0NfU1NJU19QS0dfT1dORVJTLFFVRV9TS0lMTFNfUVVFVUVTLFFVRV9UQUJfRklMVEVSLFJFUV9SRVAsUVVFX0ZFVENILFFVRV9UQUJfUVVFU1RJT05TLERPQ19DSE5HX09XTkVSLFFVRV9UQUJfQlVDS0VULERCUF9URUFNX1NBU1UsREJQX1RFQU1fT0ZGU0hPUkUsRE9DX0JVU19VU0VSUyxBRE0sUVVFX1RBQl9TS0lMTFMsREJQX1RFQU1fUEFJRDAxLFFVRV9DSEVDSyxRVUVfUkVQX0RFTlRBTCxRVUVfVEFCX1RFQU0sRE9DX1RBQl9BRE1JTixRVUVfVEFCX1NVUCxEQlBfVEVBTV9QQUlELERCUF9FTEdfQSxRVUVfVEFCX1FVRSxRVUVfVVNSX0RCUF9QQUlELERlbnRhbF9QSEksU1NSU19ERFNfUEhJLFFVRV9VU1JfREJQX1BFTkQsVklTU0JWRVcsUVVFX01BTixET0NfVEFCX09XTkVSUyxRVUVfUkVQX0lOVkVOVE9SWSxRVUVfVVNSLFFVRV9SRVBfTUFOQUdFUixET0NfQURNSU4sREJQX1RFQU1fT05TSE9SRSxWSVNTQkFETQs1

    The web.config has the following entries. 

    <system.web>

    <authorization>

    <allow roles ="ADM,QUE_MAN,QUE_SUP,QUE_USR" />

    <deny users ="*"/>

    </authorization>

    </system.web>

    Tuesday, July 10, 2018 2:51 PM

All replies

  • User-330142929 posted

    Hi Sleseman, 

    As we all knows, http 401 error is a http error about authentication and authorization. It generally involves two possibilities, the client does not provide verification information, or has provided but has not passed the authorization test. That is, "http basic authentication", which may require the client to provide the www-authenticate header field in the http protocol.

    https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/401

    Generally speaking, Authentication order like this. Because the authorization header is not included in the first request, the server will return a 401 error to the client. And add the 'www-authenticate' credential to the header of the response. The client then encrypts the credentials and sends them to the server in the authorization header. Next the authentication is successful. After the authentication, the browser puts the authentication information in the session, and then does not need to be authenticated again during the validity period of the session.

    Throughout the process. Authentication information is included in the request header. I suggest that you could use the developer tools to see if each request contains authentication information, or other codes to delete the session information.

    Besides, the occasional 401 error on the website is a normal phenomenon. For some web servers with some kind of security policy. The client can only pass the authentication if it is completely unfamiliar and the Internet connection host that has not been used before.

    Best Regards

    Abraham.

    Wednesday, July 11, 2018 6:27 AM