IIS 7 and Above
IIS7.5 receives empty post body from Safari 5.1??
Last post Oct 23, 2013 08:44 AM by galastur
Oct 13, 2011 07:16 PM|john.newman|LINK
Oct 14, 2011 09:58 AM|lextm|LINK
Oct 14, 2011 02:49 PM|john.newman|LINK
Oct 15, 2011 04:16 AM|lextm|LINK
Simply reading failed request tracing and hoping to find out the differences on IIS side alone is not recommended.
All HTTP conversations are carried out between the browser and the server. Therefore, you should capture more data (such as the HTTP packets) exchanged between the two. In your case, I think you can use Wireshark to capture HTTP packets on Mac + Safari 5.1
and then compare with the same capture on Mac + Safari 5.0 to see if there are any obvious differences.
The differences on IIS side can be explained once the whole conversation is nice and clear. If you don't dig more, or look at the big picture, you may get lost or miss the hints.
Oct 15, 2011 11:33 PM|john.newman|LINK
Oct 16, 2011 02:02 PM|lextm|LINK
Glad to hear that you find out the problem.
It should not be hard to find it out, if you are familiar with such typical error patterns inside network packet captures. That requires experience, and it is common that you did not realize it earlier.
But authentication between the browser and the server can lead to such problems, if Apple did make big changes in Safari 5.1.
Negotiate is something complicated, and as far as I know only Microsoft IE can handle it properly. Therefore, it is recommended that you use NTLM only for most scenarios (like what SharePoint Server does after its installation). Though it does lower the
security protection, it maximizes compatibility.
You may consult Apple support to see if they can provide details on such changes (maybe they have that details in Safari 5.1 release notes or somewhere else), but they really should be more careful on their product upgrade to make sure it maintains certain
amount of compatibility.
Feb 17, 2012 07:59 PM|tom1132|LINK
Well yeah, I've done all that already and it didn't reveal anything, which is why I asked for help... The failed request trace I posted there was simply the most revealing thing I had to go on.
Figured it out somewhat after digging through all the config of my server vs our test server. Thankfully I had this difference and was able to spot it.
Authentication > Integrated windows authentication > advanced settings > providers > [Negotiate, NTLM] <-- Does not work
Authentication > Integrated windows authentication > advanced settings > providers > [NTLM] <-- Works
So it looks like it's a bug with safari's authentication stack, where the post body somehow gets screwed up when negotiate is enabled. It doesn't make any sense why that would happen, but really I'm seeing a lot of other odd behavior with authentication in
5.1. A lot of times, but not always, I'll get more than one password prompt when it tries to authenticate the child requests the page makes (css / js / img). I don't think it's a bug with IIS since every other browser even 5.0 is totally fine, plus that NTLM
stack should be properly implemented and untouched stable for a long time now... unless a recent windows update in that area could be contributing... that's worth checking out at least. On Monday I'll follow up with the safari folks and see if I can find the
Feb 17, 2012 08:09 PM|john.newman|LINK
Apr 10, 2012 07:21 PM|pdearmore|LINK
I just thought I would throw this out there and see if anyone had some comments on this. I was experiencing the same behavior with Safari/IIS, and just stumbled across something. If you go to the Advanced Settings of the Windows Authentication in the Authentication
configuration of the web site application in IIS, there is a check box labeled "Enable Kernel-mode authentication". This was checked by default--when I unchecked it, Safari didn't have any more problems with the empty POST body. Is this a suitable workaround
for the time-being, or is it not a good idea?
Oct 23, 2013 08:44 AM|galastur|LINK
I am experiencing exactly the same problem...It has been 2 years! Looks like Safari dev are not interested, nevertheless i will report it (although I can't provide them with a public URL)
Again, thank you for providing a work around