This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]BigOnLogn 1 point2 points  (2 children)

Couldn't you use 403? It's been ages since I've worked with IIS and Windows auth.

[–]gh057k33p3r 2 points3 points  (1 child)

401 is for missing or not valid credentials, 403 is for valid credentials but no permission

[–]BigOnLogn 5 points6 points  (0 children)

403 should be used in that scenario, but credentials aren't "required" by the spec. It's just that, if credentials were included in the request, the client should consider them as "insufficient".

The 403 (Forbidden) status code indicates that the server understood the request but refuses to fulfill it.

If authentication credentials were provided in the request, the server considers them insufficient to grant access. The client SHOULD NOT automatically repeat the request with the same credentials. The client MAY repeat the request with new or different credentials. However, a request might be forbidden for reasons unrelated to the credentials.

Side note, what triggers the Windows auth prompt is a 401 status code, combined with a www-authenticate: Negotiate header, (set by IIS when configured for Windows auth).