This refers to IIS 8.5. "authPersistSingleResponse" is set to false.
The site has a default landing page, written in ColdFusion, but doesn't do anything more than print HTML and basic JS to move around the site. The site root has Anonymous access and Windows Authentication enabled. Inside is a secure folder which has Anonymous access disabled, and Windows Authentication Enabled. This works as expected. The user is challenged for AD credentials, and when authenticated, the user is allowed in.
<location path="cfreports"><system.webServer><security><authentication><windowsAuthentication enabled="true" /></authentication></security></system.webServer></location><location path="cfreports/reports/"><system.webServer><security><authentication><anonymousAuthentication enabled="false" /></authentication></security></system.webServer></location>
As expected, when a user clicks on a link to any page (e.g. "/reports/create/default.cfm"), the user is allowed in without being prompted again. Note that authPersistSingleRequest is set to FALSE.
If they click a link on THAT page, they're prompted for credentials again. If the user enters credentials, it works properly. If the user hits Cancel, the user is still allowed access to that default.cfm page. No matter what you do, ColdFusion sees the credentials are present on that page too. From that point, if you hit refresh, you get challenged again, and then if you hit cancel, you get a 401.
(401 - Unauthorized: Access is denied due to invalid credentials.)
Then it becomes inconsistent. Every time you access a different page, even ones you've authenticated before, sometimes you're prompted, sometimes you're not. Sometimes entering credentials works, sometimes it doesn't.
Digging into the security settings, I found that authPersistSingleRequest is not set, which means it's false. Configuration Editor showed the same thing.
<security><access sslFlags="None" /><applicationDependencies /><authentication><anonymousAuthentication enabled="true" userName="IUSR" /><basicAuthentication enabled="false" /><clientCertificateMappingAuthentication /><digestAuthentication /><iisClientCertificateMappingAuthentication /><windowsAuthentication enabled="false" authPersistNonNTLM="true"><providers><add value="Negotiate" /><add value="NTLM" /></providers></windowsAuthentication></authentication><authorization />
I'm out of ideas, and I am unable to figure out the correct terms to search on.