JQuery Ajax + Windows Authentication = 401 Unauthorized

The following answer is based on my understanding of NTLM / Kerberos and some assumptions about how the XmlHttpRequest reuses information known to the browser. However, I have not actually tried to reproduce your scenario, and hence there is a chance that I am wrong.

Okay, this is it. Session NTLM is a connection-oriented protocol. This means that if your server keeps returning "Keep-alive" and the client is reusing the same connection, then there is no need for another authentication. However, as soon as the connection is closed and reopened, a new handshake is required. As long as it is the browser that the server is requesting, the new handshake is done automatically using the credentials cached in the browser's memory, the exact credentials you provided in the initial handshake.

This is why I believe your ajax call is not working - perhaps it just opens a new connection and requires a new handshake (and it seems that for some reason it doesn't reuse the credentials cached in browser memory).

However, this should change if you switch to Kerberos. Kerberos is based on a challenge-response pattern in which the browser and server bind directly to the authentication credentials. Kerberos then stores your authentication on the http header with a ticket. Most likely, the header will be automatically added to your AJAX requests.

Note that unlike NTLM, Kerberos only works if the browser and server can communicate with authentication credentials. This is why IIS usually sets the authentication scheme to "Negotiate" - this tries Kerberos first and then switches back to NTLM if the browser does not directly access the authentication credentials.