NTLM Authentication Become Invalid After Send Request to Different Site

longfeibisheng · December 10, 2021, 10:27pm

Hello,

I am testing an application that will send request to 2 backend. One is using NTLM authentication. If I send a call in between 2 calls that require ntlm authentication, 2nd ntlm authentication will fail. Here is an example Scenario 1 will work and scenario 2 will fail

Scenario 1 - Working

res = http.get(
            `https://username:password@www.site1.com/Login.aspx`,
            {
                auth: 'ntlm'
            }
        )//return 200
res= http.get(
            "https://www.site1.com/ntlm.aspx",
            {}
        );//return 200

Scenario 2 - Have a call to different site other than the one required ntlm authentication will break ntlm authentication

res = http.get(
            `https://username:password@www.site1.com/Login.aspx`,
            {
                auth: 'ntlm'
            }
        )//return 200
res = http.get('https://www.google.com')//return 200
res= http.get(
            "https://www.site1.com/ntlm.aspx",
            {}
        );//return 401

Scenario 3 - If we re-authenticate after call different site, ntlm authentication will work

res = http.get(
            `https://username:password@www.site1.com/Login.aspx`,
            {
                auth: 'ntlm'
            }
        )//return 200
res = http.get('https://www.google.com')//return 200
res = http.get(
            `https://username:password@www.site1.com/Login.aspx`,
            {
                auth: 'ntlm'
            }
        )//return 200
res= http.get(
            "https://www.site1.com/ntlm.aspx",
            {}
        );//return 200

longfeibisheng · December 13, 2021, 4:27pm

And also, other than send request to different site, if I run into 404 calls even with the same site, NTLM authentication will become invalid

res = http.get(
            `https://username:password@www.site1.com/Login.aspx`,
            {
                auth: 'ntlm'
            }
        )//return 200
res = http.get('https://www.site1.com/404link')//return 404
res= http.get(
            "https://www.site1.com/ntlm.aspx",
            {}
        );//return 401

mstoykov · December 21, 2021, 9:41am

Hi @longfeibisheng, Sorry for the slow response, this fell through the cracks

I can’t figure out why exactly this happens, and unfortunately we don’t have any NTLM test site to test against (have been looking for some times) but here are some thoughts:

NTLM is authenticating the connection, not a particular request under the hood. Which leads me to believe that for some reason instead of using the same connection on the second/third request it makes a new one, and it isn’t authenticated and this is what is broken. I can’t reproduce this with latest k6 (or even some old versions) but not for NTLM connections, so maybe something else happens for NTLM . Also, I am aware that sometimes endpoints on the same host may or may not support NTLM and consequentially require a new connection, which is what I expect happens in the second case . Additionally, servers may close connections, especially on 4xx/5xx requests, even if they are keep-alive.
Given that you want all of these requests to be authenticated and that even if sometimes it will work, in reality you should always give all the information. There are no guarantees that a connection will be reused or that the same one will be used, and this can happen for any number of reasons, including a server side limit on requests per connection.

Arguably the current k6 API while somewhat easier to use is not exposing the underlying mechanic which leads to this problem. Maybe in a future version (if NTLM is kept, as it has been technically advised against by Microsoft since 2010) we will have a more to reality abstraction.

So in retrospect – if a request will need to NTLM authenticated, you should always provide the {ntlm:true and the user and password.

Hope this helps you and happy holidays.