How to remove unwanted WWW-Authenticate headers

Related searches

From an MVC app, I'm sourcing an iCal subscription with authentication following the answer to this SO question:

Serving an iCalendar file in ASPNET MVC with authentication

The iCal stream is being created dynamically from events in the DB using the DDay.iCal library.

This solution works fine on the local development server: both OSX Calendar and Outlook can subscribe to and receive updates from the app.

However, on the shared server at my web host, the authentication fails for both Calendar and Outlook. That is, they both keep asking me for user & password after the (correct) ones fail.

EDIT: If I point a browser at the calendar URL it also fails authentication.

EDIT: Getting weirder—Firefox authenticates and gets the iCal file. Safari, Chrome and IE fail authentication.

If I point curl at the calendar URL with the same credentials I'm successful (i.e. I get the desired iCal file). And, of course, the same credentials can be used to login to the MVC app.

EDIT — I think I know what's going on, but I don't know how to fix it. In my OnAuthorization() I add only WWW-Authentication Basic but with Fiddler I can see that three types of authentication are offered:

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="Secure Calendar"
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
... etc ...

At this point only Firefox responds with Basic Authorization, which succeeds.

GET <<URL>> HTTP/1.1
Authorization: Basic <<encoded credentials>>

IE responds with Negotiate, which fails

GET <<URL>> HTTP/1.1
Authorization Negotiate <<encoded stuff>>

Who is adding the other two and how can I make it stop? Here's more detail from the server response:

HTTP/1.1 401 Unauthorized
Cache-Control: private
Transfer-Encoding: chunked
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 3.0
WWW-Authenticate: Basic realm="Secure Calendar"
X-AspNet-Version: 4.0.30319
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
X-Powered-By-Plesk: PleskWin
Date: Tue, 23 Oct 2012 13:27:48 GMT

Thanks, Eric

Ha ha, the answer lay in IIS configuration.

I asked the admins at my host to turn off the other authentications, which broke everything but the iCal feed.

Now they've turned a couple back on again and the MVC site works as well as the calendar feed with authentication... whew! Very, very big smile.

Here's the IIS configuration we ended up with:

Name                        Status         Response Type
Anonymous Authentication    Enabled
ASP.NET Impersonation       Disabled
Basic Authentication        Disabled       HTTP 401 Challenge
Digest Authentication       Disabled       HTTP 401 Challenge
Forms Authentication        Enabled        HTTP 302 Login/Redirect
Windows Authentication      Enabled        HTTP 401 Challenge

I'm not sure why this works—or what else might break—but today I'm happy.

WWW-Authenticate, The HTTP WWW-Authenticate response header defines the authentication method that should be used to gain access to a resource. Open the site which you would like to open and then click on the HTTP Response Headers option. Click on the X-Powered-By header and then click Remove on the Actions Pane to remove it from the response. 2.

WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM

are used by Windows authentication. Since you finally enabled anonymous authentication, all WWW-Authenticate headers will not appear.

HTTP/1.1: Header Field Definitions, The Accept request-header field can be used to specify certain media types which are A user agent that wishes to authenticate itself with a server-- usually, but not and, for each connection-token in this field, remove any header field(s) from the and as a means for identifying the source of invalid or unwanted requests. To remove unwanted response headers in Microsoft IIS 7.0 to 8.5 use the Dionach StripHeaders native-code module. The default configuration is shown below: <configuration> <system.webServer> <stripHeaders> <header name="Server" /> <header name="X-Powered-By" /> <header name="X-Aspnet-Version" /> </stripHeaders> </system.webServer> </configuration>

Easy way :

If you want this "X-Powered-By-Plesk" Header to be removed from EVERY NEWLY created domains, you can create a default web.config file within the "httpdocs" folder of the "Default Host Template".

This default website template is usually located under : "C:\inetpub\vhosts.skel\0\httpdocs". That web.config file will be used by default when you create a new website.

<?xml version="1.0" encoding="UTF-8"?>
          <remove name="X-Powered-By-Plesk" />

TIP 1 : You can use this method to remove any unwanted Custom header (In order to not tell too much to bad guys about your server) :

<remove name="X-Powered-By"/>
<remove name="X-Powered-By-Plesk"/>
<remove name="X-AspNet-Version"/>
<remove name="X-AspNetMvc-Version"/>

TIP 2 : If you want to remove any Dynamic header (like the famous "Server" header), you will need to operate with outboundRules :

          <rule name="StripHeader_Server" patternSyntax="Wildcard">
            <match serverVariable="RESPONSE_SERVER" pattern="*"/>
            <action type="Rewrite" value=""></action>
          <rule name="StripHeader_ETag">
            <match serverVariable="RESPONSE_ETag" pattern=".+" />
            <action type="Rewrite" value="" />

TIP 3 : Additionally, you can use this default web.config file to set all configuration parameters you want to use for every new website (in example : to define a list of default documents for your websites, as explained on this Plesk Help article : )

Possible to remove www-authenticate header in response? � Issue , http headers of the response before transmission? something like res. removeHeader()? I am looking to remove the www-authenticate header� It all starts from here – whenever the client requests for a page, the server sends out response data (the actual content) and some response headers as well. The header contains information such as HTTP response status, Content-Type, Content-Length, Location of the requested page, response date and time, server information and

As a belated answer to this, you could also handle this by creating a custom message handler.

The message handler would be inheriting from DelegatingHandler and has to be added to the HttpConfiguration its MessageHandlers

A way this could look would be the following:

public class EnsureNoAuthenticationHeaderHandler : DelegatingHandler 
    async protected override Task<HttpResponseMessage> SendAsync( HttpRequestMessage request, CancellationToken cancellationToken ) 
        var response = await base.SendAsync( request, cancellationToken );
        if ( response.StatusCode == System.Net.HttpStatusCode.Unauthorized ) 
            response.Headers.Remove( "WWW-Authenticate" );
        return response;

And then register it in the HttpConfiguration somewhat like the following

private void Register( HttpConfiguration configuration ) 
    configuration.MessageHandlers.Add( new EnsureNoAuthenticationHeaderHandler() );

Which you would probably call from your global configuration. A message handler can also be attached to a route directly, so if you don't want it to be available everywhere, just have a looked at the linked article on MSDN for more explanation

Remove unwanted Basic Authentication prompts in Connections, The solution does not change the header when it's a Connections server making the connections. Connections , by itself , also uses some Basic� What is the best way to access the http headers of the response before transmission? something like res.removeHeader()? I am looking to remove the www-authenticate header from my 401 responses.

I had the same problem.

The response included 3 WWW-Authenticate headers and only Firefox worked correctly. Chrome, Bing and IE prompted for username and password but after that they did not send the Authenticate Header to the server.

I just changed IIS Authentication settings and it was solved:

Anonymous Authentication  Enabled
ASP.NET Impersonation     Disabled
Basic Authentication      Disabled          HTTP 401 Challenge
Forms Authentication      Disabled          HTTP 302 Login/Redirect
Windows Authentication    Disabled          HTTP 401 Challenge

How to Quickly Fix the 401 Unauthorized Error (5 Methods), The code is sent via the WWW-Authenticate header, which is responsible for Look for Errors in the URL; Clear Your Browser's Cache; Flush Your DNS Unfortunately, sometimes it can also cause unwanted interruptions. When I pass the cookie to the Web Server, ARR module routing to Blob Storage it works perfectly. But when I request Web server using Authorization header, the same header is appended to the request to the Blob Storage. So it fails as the token is not for the Blob storage. So I want to remove the token comming from the client to ARR module.

Remove the header and footer from the first page in active document. If you just want to remove the header and footer from the first page of current document and keep others, please do as this: 1. Open the Word file and go to the first page that you want to remove the header and footer, and then double-click the header area into editing mode. 2.

a) Right-click on Start and click on Control Panel. b) Click on Programs and features and click on Uninstall a Program. c) Under Uninstall or change a program, scrollthrough the list to check if there is any third party tool\search bar installed on the computer e) If yes, right-clickonthe tool\search bar and uninstall it.

Here’s how. In your document, place your cursor at the very end of the page right before the page where you want to remove the header or footer. For example, if you want to remove the header or footer on page 12, place your cursor at the end of page 11. Switch to the “Layout” on the Ribbon, and then click the “Breaks” button.