File upload fails if a 401 authentication challenge occurs on HTTP POST in Internet Explorer 10


Symptoms


Assume that you try to upload a file by using an XMLHttpRequest object in Level 2 specification in Internet Explorer 10. The file upload cannot be finished if the POST receives a 401 authentication challenge. The upload either freezes indefinitely or times out if a 401 challenge is received on the HTTP POST.

Additionally, this affects POSTs that contain files that are attached by using a formData().append method. The failures can occur in one of two ways during the network traces, depending on whether the Kerberos protocol or the NT LAN Manager (NTLM) protocol is used:

  • If Internet Explorer sends the POST, and the server responds with a 401 including the Authentication Header (AH), and then the Kerberos protocol is negotiated:
    • Internet Explorer sends the initial POST that contains the full body.
    • Server responds with Authenticate: Negotiate.
    • Internet Explorer sends Kerberos hash to the server together with content-length that states a full POST body is present but does not include the content.
    • Server waits for the remaining payload. However, the payload is never sent.
  • If Internet Explorer sends the POST, and the server responds with a 401 including the AH, and then the NTLM protocol is negotiated:
    • Internet Explorer sends the initial POST that contains the full body.
    • Server responds with Authenticate: Negotiate or Authenticate: NTLM.
    • Internet Explorer sends NTLM hash to the server together with content-length = 0.
    • Server responds with server hash.
    • No follow-up POST that contains the completed hash or a full POST body is sent by the client.

Resolution


Update information

To resolve this issue, install the most recent cumulative security update for Internet Explorer. To do this, go to Microsoft Update.

For technical information about the most recent cumulative security update for Internet Explorer, go to the following Microsoft website:Note This update was first included in security update 2975687.

For more information about security update 2977629, click the following article number to view the article in the Microsoft Knowledge Base:

2977629 MS14-052: Cumulative security update for Internet Explorer: September 9, 2014

Status


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

References


See the terminology that Microsoft uses to describe software updates.