Why do "401 Unauthorized" messages appear twice before the CardioLog tracking code is downloaded to the client browser?

When a client needs to authenticate itself to a proxy or server using the NTLM scheme (used by the CardioLog Tracking Agent web application)  then the following 4-way handshake takes place:


1: Client   --> Server   GET ...
2: Client <--  Server    401 Unauthorized
                         WWW-Authenticate: NTLM
3: Client   --> Server   GET ...
                         Authorization: NTLM <base64-encoded type-1-message> 
                          (This message contains the host name and the NT domain name of the client.)
4: Client  <--  Server   401 Unauthorized
                         WWW-Authenticate: NTLM <base64-encoded type-2-message>
                         (This message contains the server's NTLM challenge.)
5: Client   --> Server   GET ...
                         Authorization: NTLM <base64-encoded type-3-message>
                         (This message contains the username, host name, NT domain name, and the two 
6: Client  <--  Server   200 OK
Have more questions? Submit a request


Article is closed for comments.
Powered by Zendesk