[MULE-17110] NTLM authentication with dynamic credentials is successful despite credentials changes Created: 04/Jul/19  Updated: 23/Oct/19  Resolved: 16/Aug/19

Status: Resolved
Project: Mule
Component/s: Modules: HTTP
Affects Version/s: 3.9.1 (EE Only), 3.10.0, HTTP Service 1.4.3
Fix Version/s: 4.3.0, 4.2.2 (EE Only), HTTP Service 1.4.4, 1_14-MULE-011
Security Level: Public

Type: Bug Priority: To be reviewed
Reporter: Pablo Balbi Assignee: Pablo Balbi
Resolution: Done Votes: 0
Labels: mule4
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
Severity: S2
Bug Boosted: No
Defect Source: Dev Bug
Story Points: 0
Sprint: Prod Eng - Loki 08/14
Severity Label: S2 (Regular)
Affects:
nothing

 Description   

When a HTTP requester with NTLM authentication is used with an expression in the credentials, the following happens:

  1. The flow is executed with the expression resolving the correct credentials. This makes the requester establish an authenticated session ** with the IIS server its targeting. Since NTLM requires HTTP_KEEP_ALIVE, the TCP connection between mule and IIS will be kept open.
  2. The flow is triggered once again with the expressions resolving in invalid credentials. Since the connection is still open, no authentication dance will be required, leading to the access to a resource, with invalid credentials.

The HTTP_KEEP_ALIVE configuration cannot be avoided, since it's required for the second part of the NTLM dance to work.



 Comments   
Comment by Pablo Balbi [ 04/Jul/19 ]

The solution implemented consists in setting the Connection: close header in the final request of the NTLM, which will case IIS to respond the authentication success, the message corresponding to the result of the triggering request, and procede to close the TCP connection with mule.

A similar fix has been implemented in Postman: https://github.com/postmanlabs/postman-app-support/issues/5111.

On the other hand, a workaround exists by configuring IIS to persist authentication results just one request: https://docs.microsoft.com/en-us/iis/configuration/system.webServer/security/authentication/windowsAuthentication/.

Comment by Pablo Balbi [ 15/Jul/19 ]

Issue does reproduce in Mule 4. Tracking progress here.

Comment by Pablo Balbi [ 16/Aug/19 ]

New Grizzly AHC version

Comment by Pablo Balbi [ 23/Oct/19 ]

This issue has been fixed since grizzly version 1_14-MULE-011, which is shipped since HTTP Service 1.4.4. 

This new service version has been shipped inside the distributions since mule-4.2.2, and mule-4.3.0.

Generated at Wed Nov 13 10:42:05 UTC 2019 using Jira 7.13.8#713008-sha1:1606a5c1e7006e1ab135aac81f7a9566b2dbc3a6.