File upload fails if a 401 authentication challenge occurs on HTTP POST in Internet Explorer 10

Note: The Internet Explorer 11 desktop application will be retired and go out of support on June 15, 2022 (for a list of what's in scope, see the FAQ). The same IE11 apps and sites you use today can open in Microsoft Edge with Internet Explorer mode. Learn more here.

Symptoms

Assume that you try to upload a file by using an XMLHttpRequest object in Level 2 specification in Internet Explorer 10. The file upload cannot be finished if the POST receives a 401 authentication challenge. The upload either freezes indefinitely or times out if a 401 challenge is received on the HTTP POST.

Additionally, this affects POSTs that contain files that are attached by using a formData().append method. The failures can occur in one of two ways during the network traces, depending on whether the Kerberos protocol or the NT LAN Manager (NTLM) protocol is used:

  • If Internet Explorer sends the POST, and the server responds with a 401 including the Authentication Header (AH), and then the Kerberos protocol is negotiated:

    • Internet Explorer sends the initial POST that contains the full body.

    • Server responds with Authenticate: Negotiate.

    • Internet Explorer sends Kerberos hash to the server together with content-length that states a full POST body is present but does not include the content.

    • Server waits for the remaining payload. However, the payload is never sent.

  • If Internet Explorer sends the POST, and the server responds with a 401 including the AH, and then the NTLM protocol is negotiated:

    • Internet Explorer sends the initial POST that contains the full body.

    • Server responds with Authenticate: Negotiate or Authenticate: NTLM.

    • Internet Explorer sends NTLM hash to the server together with content-length = 0.

    • Server responds with server hash.

    • No follow-up POST that contains the completed hash or a full POST body is sent by the client.


Resolution

Update information

To resolve this issue, install the most recent cumulative security update for Internet Explorer. To do this, go to Microsoft Update.

For technical information about the most recent cumulative security update for Internet Explorer, go to the following Microsoft website:

http://www.microsoft.com/technet/security/current.aspxNote This update was first included in security update 2975687.

For more information about security update 2977629, click the following article number to view the article in the Microsoft Knowledge Base:

2977629 MS14-052: Cumulative security update for Internet Explorer: September 9, 2014

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

References

See the terminology that Microsoft uses to describe software updates.

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×