Steps to reproduce
for our Intranet app we use integrated auth using negotiate authorization scheme (WWW-Authenticate: Negotiate). Both the app UX and API require integrated authorization. For UX pages in edge, integrated authorization negotiation handshake is honored and works fine. (In the network capture I can see for the first anonymous request server challenges request with 401 unauthorized with WWW-Authenticate: Negotiate, NTLM header in response. Edge pops up a window for use to enter credentials and then sends request with Authorization: negotiate <token> header, Server responding with a challenge in 401 response, edge sending another request with authorization header which is accepted by server and 200 ok response is sent).
But when this page makes an XHR request with API endpoint of the intranet site, the authorization handshake does not happen. (In the network capture I only see for the anonymous XHR request server challenges it with 401 unauthorized with WWW-Authenticate: Negotiate, NTLM header in response and that is where it ends. Edge does not show user any pop up to enter the credentials and thus does not send any response to the challenge from the server).
I same web app works fine in IE or Chrome.
Microsoft Edge 38.14393.0.0
Microsoft EdgeHTML 14.14393
Comments and activity
- Microsoft Edge Team
Changed Assigned To to “Steven K.”
Changed Status to “Fixed, flighted”
I wanted to let you know that the Windows 10 Creator’s Update Release version 15063 contains the fix for this issue.
Also, the recommended method for performing a request with credentials is via the Fetch API.
Thank you for the submission,
The MS Edge Team