Don’t forget to Automatically Authenticate calls when using Fiddler

March 20, 2018

I tend to forget some simple things I just don’t use that often.

One of these is when working with some ASP.NET apps which are using Windows Authentication with 401 HTTP Challenge (Kerberos) set like this in IIS manager : asp dot net iis windows auth sample

For bigger HTTP debugging “jobs” I am using Fiddler, as most of us do. So, if you want to forge a new HTTP request in Composer and see something like this (401 in the lines 14-21) : calls without automatically authenticate

You clearly need to check Automatically Authenticate in Composer Options tab.

So what do we see here. This is a random session on my dev box. My browser undergo 401 challenge in the step 1 and 2. From there, everything had 200 because we are authenticated. This is done by the browser, “automagically”. I drag and dropped POST request on position 12 to Composer and not checked Automatically Authenticate (I forgot to) and I got all those nice 401s from 14 to 21.

Please note, that even if you drag and drop some request from browser that got 200 from IIS, the Fiddler will not get 200 also. Fiddler is for IIS just another client, just replaying the very same request will not make it authenticated. This is by design, not a bug.

If you allow automatically authenticate, you will see that you will get 401 at first, but Fiddler will do it’s job and issue another request, which will get 200 this time. Something like this : calls with automatically authenticate

All requests from that point will get 200.

Hope this helps.


Profile picture

Written by Dušan Roštár - the "mr edge case" guy
my twitter : rostacik, my linkedin : rostar, drop me an email : here