David Byron wrote:
> I got ethereal to capture everything. At 5MB, I'm pretty sure I
> shouldn't send it to the list. I should probably run the capture on a
> smaller file...tomorrow.

I've looked at David's trace:

    Client: MSIE/6.0
    Server: IIS/5.0 + ASP.NET

    Action: POSTing a large request (2 megabytes, just to be sure the server
            would have time and motivation to respond early if it wanted to).

The trace shows that IIS does close the first connection after the
first 401 response, in agreement with the "Connection: close" header
that it sent.

I am stunned to see IIS/5.0 doing two inefficient things:

    1. It waits until receiving the entire request before sending
       the 401 error response. (This is not necessary). This is very
       clearly part of the server's logic, as it's TCP accepts all of
       the request body and does not respond until after, which is 40
       seconds later.

    2. It closes the connection despite keep-alive being enabled,
       which serves no purpose as it has read the whole request by
       that point.

Another interesting quirk is:

    3. It sends "HTTP/1.1 100 Continue" in response to the second time
       a large request body is sent, but not the first time.

Conclusion: IE is forced to transmit the large request body twice. In
fact, any client is forced to do so, if it doesn't know in advance
that NTLM authentication is to be used on this URL.

However, if the client _does_ know to use NTLM authentication, then
the request body only needs to be transmitted once, because in the
initial phase it does POST with an empty request body.

These traces do not answer what the client should do when connecting
to a server where it has already done NTLM authentication, but POSTing
to a URL on that domain that does not use NTLM.

For example, the latter behaviour can occur when a reverse proxy is
used to fan out different URL paths to different servers. Then the
empty POST will be sent to a real URL handler, and will probably cause
the wrong POST action.

David: Can you repeat this test with IIS/6.0, using a large file and
packet capture? It looks very likely that IIS/6.0 does the same as
IIS/5.0 except for not closing the connection, and still requires the
request body to be transmitted twice when discovering auth. However,
it is possible that IIS/6.0 is coded better: If it is making good use
of HTTP, then it will behave differently for a large request body than
a small one.

Thanks,
-- Jamie
Received on 2004-11-08