We Keep Coding

How to troubleshoot Integrated Authentication problems for asp.net core 2.1

How to troubleshoot Integrated Authentication problems for asp.net core 2.1
Page requests to my asp.net core 2.1.x application published to IIS using Visual Studio 2017 publish, return HTTP Error 401.2 - Unauthorized.
The IIS Server application is configured to use only Integrated Authentication.
IIS Manager Window Snippet
In the snippet, the Default Web Site/OrderTrackingService is the application created and configured by Visual Studio debugging. The Dev.Portal/ordertracking is the same application published via a publish profile from visual studio.
As far as I can tell, the web app configuration in IIS is identical.
When I run the application under the debugger, using IIS or IIS Express the incoming requests have an authorization header
No Proxy-Authorization Header is present.
Authorization Header (Negotiate) appears to contain a Kerberos ticket:
60 81 84 06 06 2B 06 01 05 05 02 A0 7A 30 78 A0 `..+..... z0x
30 30 2E 06 0A 2B 06 01 04 01 82 37 02 02 0A 06 00...+....7....
09 2A 86 48 82 F7 12 01 02 02 06 09 2A 86 48 86 .*H÷......*H
F7 12 01 02 02 06 0A 2B 06 01 04 01 82 37 02 02 ÷......+....7..
…
When I run the application from IIS Directly ( as configured by publish and the IIS settings ) the incoming requests do not have an authorization header
No Authorization Header is present.
Can anybody tell me how I can determine why the headers are present in one case and missing in the other case?
UPDATE:
I have some additional information that may help with tracking down the issue. When requests to the web application set up by visual studio debugging are made to IIS there is series of HTTP request/responses where the auth header is provided and the user identity is established.
- REQUEST/RESPONSE
GET http://.../ordertrackingservice HTTP/1.1
Host: ...
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: .AspNet.Consent=yes
HTTP/1.1 401 Unauthorized
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/10.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Tue, 02 Oct 2018 16:32:36 GMT
Content-Length: 6138
Proxy-Support: Session-Based-Authentication
**
- REQUEST/RESPONSE
**
GET http://.../ordertrackingservice HTTP/1.1
Host: ...
Connection: keep-alive
Cache-Control: max-age=0
Authorization: Negotiate YIGEBgYrB....
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: .AspNet.Consent=yes
HTTP/1.1 401 Unauthorized
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: Negotiate oYIBUTCCAU2gAwoBAaEMBgorBgE...
Date: Tue, 02 Oct 2018 16:32:36 GMT
Content-Length: 341
Proxy-Support: Session-Based-Authentication
**
- REQUEST/RESPONSE
**
GET http://.../ordertrackingservice HTTP/1.1
Host: ...
Connection: keep-alive
Cache-Control: max-age=0
Authorization: Negotiate oXcwdaADCgEBoloEWE5UTE1TU1...
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: .AspNet.Consent=yes
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Kestrel
Persistent-Auth: true
X-Powered-By: ASP.NET
WWW-Authenticate: Negotiate oRswGaADCgEAoxIEEAEAAAAVmumr4Z49ZwAAAAA=
Date: Tue, 02 Oct 2018 16:32:36 GMT
Content-Length: 6884
When requests are made to the website created by the visual studio publish tool this negotiation does not happen. There is a single request/reponse
GET http://...:8081/ordertracking HTTP/1.1
Host: ...:8081
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: .AspNet.Consent=yes
HTTP/1.1 401 Unauthorized
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/10.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Tue, 02 Oct 2018 17:00:10 GMT
Content-Length: 5955
Proxy-Support: Session-Based-Authentication
The only thing that is different about the configuration as far as I can tell is that the published website has bindings to port 8081. The exact same code is running in both cases so this must be some kind of configuration issue.
Given:
In the working case the initial response is coming from IIS, the second response is coming from Microsoft-HTTPAPI/2.0, and the third response is coming from Kestrel.
Followup Questions:
Is the middle server part of the ASP.Net core module?
Is it possible that this is missing some kind of config setup that prevents it from receiving the handoff? (like its only listening on port 80 or something)

The issue that I was running into was caused by a group policy that was blocking clients from NTLM authentication for hosts, not in the group policy whitelist. I am not sure why Kerberos authentication was not used, but adding the host to the whitelist allowed the authentication negotiation to proceed.

Why does the web server sent the file instead of a 304 http: not modified?

My browser send to the server the following request:
Host: www.imprimante.be
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
Accept: */*
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
If-Modified-Since: Fri, 29 May 2015 14:22:44 GMT
If-None-Match: "90-5173935ad3a1a-gzip"
Referer: http://www.imprimante.be/premier-avis-gratuit/
Cookie: <hidden>
Connection: keep-alive
The url used is http://www.imprimante.be/wp-content/themes/mch_imprimante/js/theme.min.js? (note: www.imprimante.be is not accessible trough wlan yet)
And the server send me the file with this (status 200) http header:
Accept-Ranges: bytes
Connection: Keep-Alive
Content-Encoding: gzip
Content-Length: 137
Content-Type: application/javascript
Date: Wed, 03 Jun 2015 07:18:03 GMT
Etag: "90-5173935ad3a1a-gzip"
Keep-Alive: timeout=5, max=99
Last-Modified: Fri, 29 May 2015 14:22:44 GMT
Server: Apache/2.4.10 (Debian)
Vary: Accept-Encoding
As you might notice (Last-Modified: Fri, 29 May 2015 14:22:44 GMT) the file hasn't been modified since the last request.
So I don't get why the response isn't a 304 status: not modified.
I'd really like to know why the caching of this files (and some others) doesn't work as I expect it.

It is bug in Apache. Turn off mod_deflate.

Implementing logging out with Windows Authentication as it's done in SharePoint: without closing the browser

I'm developing a SOA-oriented Intranet application using WCF. I have to implement User Authentication with Windows Authentication.
When we use Windows Authentication there is no possibility to really sign out without closing the browser. Only when you close the browser and open it again you get the browser prompt to enter user credentials. In my application I need user to be able to sign out without closing the browser.
Nevertheless, it seems like there is some trick to change that behavior and if not really sign out than imitate it at least. It's implemented in SharePoint.
There are two options: "Sign Out" and "Sign in as a different user". "Sign Out" doesn't really sign out: it shows the prompt to close the browser. If you don't and just re-enter the address of your application than it's logged in as if nothing happened.
However, "Sign in as a different user" DOES "log out" somehow. That is, after you pressed this button, you get browser prompts to enter your credentials when you try to access your application (WITHOUT closing browser).
In all internet discussions it's clearly said (e.g. here) that it's NOT possible to log out using Windows Authentication. It seems like it's imitated in SharePoint by means of cookies. But I haven't succeeded in reverse engineering of this approach. Could you, please, suggest to me the way I can reproduce the SharePoint behavior in my services.
I'm attaching the SharePoint request/response headers (from Chrome), maybe it can help you come out with some ideas (sorry for the large amount of text; and read ptth as http). Thanks!
1) Logged In User accessing any page:
Request URL:ptth://tfs.somecompany.ru/sites/DefaultCollection/SomeProject/Dashboards/ProjectDashboard_wss.aspx
Request Method:GET
Status Code:200 OK
Request Headers
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip,deflate,sdch
Accept-Language:ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
Cache-Control:max-age=0
Connection:keep-alive
Cookie:TSWA-Session-Vars=TFS-701396601=1055156467&TFS-1638157380=1950326154; WSS_KeepSessionAuthenticated={46ec4974-b52c-4cc7-b157-84059d748740}
Host:tfs.somecompany.ru
If-Modified-Since:Wed, 26 Mar 2014 11:11:26 GMT
User-Agent:Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36
Response Headers
Cache-Control:private, max-age=0
Content-Encoding:gzip
Content-Length:44579
Content-Type:text/html; charset=utf-8
Date:Wed, 26 Mar 2014 11:11:51 GMT
Expires:Tue, 11 Mar 2014 11:11:51 GMT
Last-Modified:Wed, 26 Mar 2014 11:11:51 GMT
MicrosoftSharePointTeamServices:14.0.0.6029
Server:Microsoft-IIS/7.5
Set-Cookie:WSS_KeepSessionAuthenticated={46ec4974-b52c-4cc7-b157-84059d748740}; path=/
Set-Cookie:WSS_KeepSessionAuthenticated={46ec4974-b52c-4cc7-b157-84059d748740}; path=/
Set-Cookie:TSWA-Session-Vars=TFS-701396601=1055156467&TFS-1638157380=1950326154; path=/; HttpOnly
Set-Cookie:WSS_KeepSessionAuthenticated={46ec4974-b52c-4cc7-b157-84059d748740}; path=/
SPRequestGuid:db76867e-a1ff-4223-80e6-4502141c064a
Vary:Accept-Encoding
X-AspNet-Version:2.0.50727
X-Powered-By:ASP.NET
X-SharePointHealthScore:3
2) Logged In User pressed "Sign Out":
Request URL:ptth://tfs.somewebsite.ru/sites/DefaultCollection/SomeProject/_layouts/SignOut.aspx
Request Method:GET
Status Code:200 OK
Request Headers
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip,deflate,sdch
Accept-Language:ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
Authorization:NTLM TlRMTVNTUAADAAAAGAAYAHwAAABUAVQBlAAAAAAAAABYAAAAEAAQAFgAAAAUABQAaAAAAAAAAADoAQAABYKIogYDgCUAAAAPL374PDZPX/Ete2OZtlmRrXYAcgBvAGQAawBpAG4AYQBCAEEAUgBCAEEAUgBBAC0AUABDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGR7rq4bit1H6OVC92tC/skBAQAAAAAAAE2zoPTkSM8Bp+dONwKxjtkAAAAAAgAeAFcASQBOAC0AOQBEAEMAUwBLAEUARgBHAEQAVABFAAEAHgBXAEkATgAtADkARABDAFMASwBFAEYARwBEAFQARQAEAB4AVwBJAE4ALQA5AEQAQwBTAEsARQBGAEcARABUAEUAAwAeAFcASQBOAC0AOQBEAEMAUwBLAEUARgBHAEQAVABFAAcACABNs6D05EjPAQYABAACAAAACAAwADAAAAAAAAAAAQAAAAAgAAAKREwkIhbBrQIu6920WSfsswbog8za6HpVEzgQnD0JbgoAEAAAAAAAAAAAAAAAAAAAAAAACQA0AEgAVABUAFAALwB0AGYAcwAuAGMAcgBvAHMAcwBpAG4AZgBvAHIAbQAuAHIAdQA6ADgAMAAAAAAAAAAAAAAAAAA=
Connection:keep-alive
Cookie:RSExecutionSession%3a%2fTfsReports%2fDefaultCollection%2fSomeProject%2fDashboards%2fBurndown=5po1uhfmxxnmnh45wshyam45; RSExecutionSession%3a%2fTfsReports%2fDefaultCollection%2fSomeProject%2fDashboards%2fBurn+Rate=wpajy3yqku1obhrhpuowv555; WSS_KeepSessionAuthenticated={46ec4974-b52c-4cc7-b157-84059d748740}; TSWA-Session-Vars=TFS-701396601=1055156467&TFS-1638157380=1950326154
Host:tfs.somewebsite.ru
Referer:ptth://tfs.somewebsite.ru/sites/DefaultCollection/SomeProject/Dashboards/ProjectDashboard_wss.aspx
User-Agent:Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36
Response Headers
Cache-Control:private
Content-Encoding:gzip
Content-Length:3455
Content-Type:text/html; charset=utf-8
Date:Wed, 26 Mar 2014 11:17:21 GMT
MicrosoftSharePointTeamServices:14.0.0.6029
Persistent-Auth:true
Server:Microsoft-IIS/7.5
Set-Cookie:WSS_KeepSessionAuthenticated=; path=/
SPRequestGuid:bffcf018-5667-4682-8a16-f3851cd2be98
Vary:Accept-Encoding
X-AspNet-Version:2.0.50727
X-Powered-By:ASP.NET
X-SharePointHealthScore:3
3) After pressing "Sign out" enter: ptth://tfs.somewebsite.ru/sites/DefaultCollection/SomeProject/Dashboards/ProjectDashboard_wss.aspx
(access is granted)
Request URL:ptth://tfs.somewebsite.ru/sites/DefaultCollection/SomeProject/Dashboards/ProjectDashboard_wss.aspx
Request Method:GET
Status Code:200 OK
Request Headers
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip,deflate,sdch
Accept-Language:ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
Connection:keep-alive
Cookie:RSExecutionSession%3a%2fTfsReports%2fDefaultCollection%2fSomeProject%2fDashboards%2fBurndown=5po1uhfmxxnmnh45wshyam45; RSExecutionSession%3a%2fTfsReports%2fDefaultCollection%2fSomeProject%2fDashboards%2fBurn+Rate=wpajy3yqku1obhrhpuowv555; TSWA-Session-Vars=TFS-701396601=1055156467&TFS-1638157380=1950326154; WSS_KeepSessionAuthenticated=
Host:tfs.somewebsite.ru
User-Agent:Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36
Response Headers
Cache-Control:private, max-age=0
Content-Encoding:gzip
Content-Length:47367
Content-Type:text/html; charset=utf-8
Date:Wed, 26 Mar 2014 11:20:48 GMT
Expires:Tue, 11 Mar 2014 11:20:48 GMT
Last-Modified:Wed, 26 Mar 2014 11:20:48 GMT
MicrosoftSharePointTeamServices:14.0.0.6029
Server:Microsoft-IIS/7.5
Set-Cookie:WSS_KeepSessionAuthenticated={46ec4974-b52c-4cc7-b157-84059d748740}; path=/
Set-Cookie:WSS_KeepSessionAuthenticated={46ec4974-b52c-4cc7-b157-84059d748740}; path=/
Set-Cookie:TSWA-Session-Vars=TFS-701396601=1055156467&TFS-1638157380=1950326154; path=/; HttpOnly
Set-Cookie:WSS_KeepSessionAuthenticated={46ec4974-b52c-4cc7-b157-84059d748740}; path=/
SPRequestGuid:ad83778b-7689-4f7e-b789-9d005e5e9c6a
Vary:Accept-Encoding
X-AspNet-Version:2.0.50727
X-Powered-By:ASP.NET
X-SharePointHealthScore:3
4) Logged In User pressed "Sign in as Different User":
("logging out" happens - browser shows me the prompt to enter credentials)
Request URL:ptth://tfs.somewebsite.ru/sites/DefaultCollection/SomeProject/_layouts/closeConnection.aspx?loginasanotheruser=true&Source=http%3A%2F%2Ftfs%2Esomewebsite%2Eru%2Fsites%2FDefaultCollection%2FSomeProject%2FDashboards%2FProjectDashboard%5Fwss%2Easpx
Request Method:GET
Status Code:200 OK
Request Headers
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip,deflate,sdch
Accept-Language:ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
Connection:keep-alive
Cookie:RSExecutionSession%3a%2fTfsReports%2fDefaultCollection%2fSomeProject%2fDashboards%2fBurndown=5po1uhfmxxnmnh45wshyam45; RSExecutionSession%3a%2fTfsReports%2fDefaultCollection%2fSomeProject%2fDashboards%2fBurn+Rate=wpajy3yqku1obhrhpuowv555; loginAsDifferentAttemptCount=; previousLoggedInAs=; WSS_KeepSessionAuthenticated={46ec4974-b52c-4cc7-b157-84059d748740}; TSWA-Session-Vars=TFS-701396601=1055156467&TFS-1638157380=1950326154
Host:tfs.somewebsite.ru
Referer:ptth://tfs.somewebsite.ru/sites/DefaultCollection/SomeProject/Dashboards/ProjectDashboard_wss.aspx
User-Agent:Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36
Query String Parametersview sourceview URL encoded
loginasanotheruser:true
Source:ptth://tfs.somewebsite.ru/sites/DefaultCollection/SomeProject/Dashboards/ProjectDashboard_wss.aspx
Response Headers
Cache-Control:private
Content-Encoding:gzip
Content-Length:683
Content-Type:text/html; charset=utf-8
Date:Wed, 26 Mar 2014 11:29:27 GMT
MicrosoftSharePointTeamServices:14.0.0.6029
Server:Microsoft-IIS/7.5
Set-Cookie:WSS_KeepSessionAuthenticated={46ec4974-b52c-4cc7-b157-84059d748740}; path=/
SPRequestGuid:01cc0f78-c5af-48b0-a54a-ba214ccf3c0c
Vary:Accept-Encoding
X-AspNet-Version:2.0.50727
X-Powered-By:ASP.NET
X-SharePointHealthScore:3
5) After pressing "Sign in as Different User" enter: ptth://tfs.somewebsite.ru/sites/DefaultCollection/SomeProject/Dashboards/ProjectDashboard_wss.aspx
(access is denied - browser shows me the prompt to enter credentials again and after I press cancel I get the response)
Request URL:ptth://tfs.somewebsite.ru/sites/DefaultCollection/SomeProject/Dashboards/ProjectDashboard_wss.aspx
Request Method:GET
Status Code:401 Unauthorized
Request Headers
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip,deflate,sdch
Accept-Language:ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
Cache-Control:max-age=0
Connection:keep-alive
Cookie:loginAsDifferentAttemptCount=0; RSExecutionSession%3a%2fTfsReports%2fDefaultCollection%2fSomeProject%2fDashboards%2fBurndown=5po1uhfmxxnmnh45wshyam45; RSExecutionSession%3a%2fTfsReports%2fDefaultCollection%2fSomeProject%2fDashboards%2fBurn+Rate=wpajy3yqku1obhrhpuowv555; TSWA-Session-Vars=TFS-701396601=1055156467&TFS-1638157380=1950326154; WSS_KeepSessionAuthenticated={46ec4974-b52c-4cc7-b157-84059d748740}; previousLoggedInAs=WIN-9DCSKEFGDTE+AFw-MyUserName; loginAsDifferentAttemptCount=1
Host:tfs.somewebsite.ru
User-Agent:Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36
Response Headers
Content-Length:0
Date:Wed, 26 Mar 2014 11:33:15 GMT
MicrosoftSharePointTeamServices:14.0.0.6029
Server:Microsoft-IIS/7.5
SPRequestGuid:0d9863b0-9243-4762-bdb3-1ea49bec57e7
WWW-Authenticate:NTLM
X-Powered-By:ASP.NET
Update 27.03.14
Found a way to imitate this behavior in Chrome and Opera without Cookies or anything. I just implement LogOut service operation like this:
public void LogOff()
{
WebOperationContext.Current.OutgoingResponse.StatusCode = HttpStatusCode.Unauthorized;
WebOperationContext.Current.OutgoingResponse.Headers.Add("WWW-Authenticate", "NTLM");
}
Check this link. Still have problems in Firefox though (doesn't prompt for authentication at all, always returns 401) and IE (doesn't log off, just refreshes the page, that's it).

IIS responding with 304 HTTP status to non-conditional requests

Sometimes my IIS server starts responding with 304 HTTP status to non-conditional requests. I have yet to determine exactly when this happens, but when it starts all browsers keep getting 304.
This is the request (debugged using fiddler):
GET http://www.example.com/aaa/bbb/GetStaticResult HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
Accept: */*
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost:12345/xxx
Origin: http://localhost:12345
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
And the response:
HTTP/1.1 304 Not Modified
Cache-Control: public
Expires: Thu, 30 Apr 2015 09:23:22 GMT
Last-Modified: Wed, 30 Apr 2014 09:23:22 GMT
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Wed, 30 Apr 2014 10:33:58 GMT
The ASP.NET MVC method is the following:
[HttpGet]
[OutputCache(Duration = int.MaxValue, VaryByParam = "")]
public string GetStaticResult()
{
return "static";
}
The request hasn't any If-Modified-Since (or similar) header. Shouldn't the server issue a 200 response?
May be related with Getting a 304 if there is no If-Modified-Since sent?

Why (and when) does Google CDN serve jQuery uncompressed?

When I load Google's hosted jquery.min.js, it does not return gzipped:
Request headers
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Cache-Control:max-age=0
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/534.51.22 (KHTML, like Gecko) Version/5.1.1 Safari/534.51.22
Response headers
Age:262255
Cache-Control:public, max-age=31536000
Content-Length:91668
Content-Type:text/javascript; charset=UTF-8
Date:Fri, 11 Nov 2011 13:06:19 GMT
Expires:Sat, 10 Nov 2012 13:06:19 GMT
Last-Modified:Thu, 22 Sep 2011 14:12:07 GMT
Server:sffe
Vary:Accept-Encoding
X-Content-Type-Options:nosniff
X-XSS-Protection:1; mode=block
Interestingly, jquery-ui.min.js does:
Request headers
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Cache-Control:max-age=0
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/534.51.22 (KHTML, like Gecko) Version/5.1.1 Safari/534.51.22
Response headers
Cache-Control:private, x-gzip-ok="", max-age=31536000
Content-Encoding:gzip
Content-Length:52140
Content-Type:text/javascript; charset=UTF-8
Date:Mon, 14 Nov 2011 13:55:50 GMT
Expires:Mon, 14 Nov 2011 13:55:50 GMT
Last-Modified:Thu, 22 Sep 2011 14:12:07 GMT
Server:sffe
Vary:Accept-Encoding
X-Content-Type-Options:nosniff
X-XSS-Protection:1; mode=block
What's the deal?
I found an article claiming Google disregards Accept-Encoding and looks at User-Agent to decide whether to compress or not. This doesn't explain why latest Safari and Chrome on Mac OS X get uncompressed jQuery (and compressed jQuery UI).

Here's my request headers:
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding:gzip, deflate
Accept-Language:en-gb,en;q=0.5
Connection:keep-alive
Host:ajax.googleapis.com
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0
I get the following response headers:
Cache-Control: private, x-gzip-ok="", max-age=31536000
Content-Encoding: gzip
Content-Length: 32103
Content-Type: text/javascript; charset=UTF-8
Date: Mon, 14 Nov 2011 13:28:31 GMT
Expires: Mon, 14 Nov 2011 13:28:31 GMT
Last-Modified: Thu, 22 Sep 2011 14:12:07 GMT
Server: sffe
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-XSS-Protection:1; mode=block
Looks like it's gzip by default, as long as the encoding is accepted.