[MULE-17110] NTLM authentication with dynamic credentials is successful despite credentials changes Created: 04/Jul/19 Updated: 23/Oct/19 Resolved: 16/Aug/19
|Affects Version/s:||3.9.1 (EE Only), 3.10.0, HTTP Service 1.4.3|
|Fix Version/s:||4.3.0, 4.2.2 (EE Only), HTTP Service 1.4.4, 1_14-MULE-011|
|Type:||Bug||Priority:||To be reviewed|
|Reporter:||Pablo Balbi||Assignee:||Pablo Balbi|
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
|Defect Source:||Dev Bug|
|Sprint:||Prod Eng - Loki 08/14|
|Severity Label:||S2 (Regular)|
When a HTTP requester with NTLM authentication is used with an expression in the credentials, the following happens:
The HTTP_KEEP_ALIVE configuration cannot be avoided, since it's required for the second part of the NTLM dance to work.
|Comment by Pablo Balbi [ 04/Jul/19 ]|
The solution implemented consists in setting the Connection: close header in the final request of the NTLM, which will case IIS to respond the authentication success, the message corresponding to the result of the triggering request, and procede to close the TCP connection with mule.
A similar fix has been implemented in Postman: https://github.com/postmanlabs/postman-app-support/issues/5111.
On the other hand, a workaround exists by configuring IIS to persist authentication results just one request: https://docs.microsoft.com/en-us/iis/configuration/system.webServer/security/authentication/windowsAuthentication/.
|Comment by Pablo Balbi [ 15/Jul/19 ]|
Issue does reproduce in Mule 4. Tracking progress here.
|Comment by Pablo Balbi [ 16/Aug/19 ]|
New Grizzly AHC version
|Comment by Pablo Balbi [ 23/Oct/19 ]|
This issue has been fixed since grizzly version 1_14-
This new service version has been shipped inside the distributions since mule-4.2.2, and mule-4.3.0.