Handle gracefully scenarios where NTLM auth persist only for a single… #363

Closed
wants to merge 1 commit into
from

Conversation

Projects
None yet
1 participant
@frenche
Contributor

frenche commented Aug 3, 2015

… request

Currently when the server responds with 401 on NTLM authenticated connection (re-used)
we consider authentication to have failed.
However this is legitimate and may happen when for example IIS is set configured to
'authPersistSingleRequest' or when the request goes thru a proxy (with 'via' header).

Implemented by imploying an additional state once a connection is re-used to indicate
that if we receive 401 we need to restart authentication.


It is a new approach instead of what I've suggested at PR #250 (detailed there).

Link to MS doc about 'authPersistSingleRequest':
https://msdn.microsoft.com/en-us/library/aa347472(v=VS.90).aspx

Link to MS blog explaining why this may occur when using proxy:
http://blogs.technet.com/b/isablog/archive/2009/07/30/excessive-authentication-traffic-accessing-an-iis-site-when-using-isa-server-2006-as-forward-proxy.aspx

Thanks,
Isaac B.

Handle gracefully scenarios where NTLM auth persist only for a single…
… request

Currently when the server responds with 401 on NTLM authenticated connection (re-used)
we consider it to have failed.
However this is legitimate and may happen when for example IIS is set configured to
'authPersistSingleRequest' or when the request goes thru a proxy (with 'via' header).

Implemented by imploying an additional state once a connection is re-used to indicate
that if we receive 401 we need to restart authentication.

@bagder bagder closed this in fe6049f Aug 6, 2015

@frenche frenche deleted the frenche:ntlm_persist_single branch Aug 11, 2015

jgsogo added a commit to jgsogo/curl that referenced this pull request Oct 19, 2015

NTLM: handle auth for only a single request
Currently when the server responds with 401 on NTLM authenticated
connection (re-used) we consider it to have failed.  However this is
legitimate and may happen when for example IIS is set configured to
'authPersistSingleRequest' or when the request goes thru a proxy (with
'via' header).

Implemented by imploying an additional state once a connection is
re-used to indicate that if we receive 401 we need to restart
authentication.

Closes #363
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment