Getting an NTLM Challenge from an AJAX POST on just one page
Some wild guesses:
This happens when you request a Role that is not in the Claims of the currently logged-in user. Verify that, if you're using
[Authorize(Roles = "xyz")]
, the current user actually has that role.It is not clear if your application uses a cookie for authentication. If yes, you should see it with the request. Are you setting
withCredentials: true
for each request?
What's happening in the action methods that are causing the NTLM challenge ? Are you sure these specific action methods aren't accessing another server, or the internet through a proxy which requires authentication ? In your development environment, your user or the user running the app pool on IIS may have the necessary permissions, but the user on the server may not.
Instead of throwing a clear security-related Exception, ASP.NET will translate this into an NTLM challenge being returned to the client, and a 401 in case of invalid credentials, instead of a 500 containing the stacktrace leading you to the point where the server account didn't have sufficient privileges...