apm-agent-dotnet icon indicating copy to clipboard operation
apm-agent-dotnet copied to clipboard

Published 20 hours ago verified publisher icon elastic

[BUG] NTLM negotiation logged as ERROR

Open dsantos98 opened this issue 1 year ago • 5 comments

APM Agent version

1.30.0

Environment

Windows .NET Framework 4.8 WebApp

Describe the bug

The situation I came across is when my web application receives a request and that request triggers a request/transaction using HttpWebRequest (System.Net) with NTLM authentication. This transaction is logged as an error (401) which is the NTLM negotiation response despite the transaction actually giving 200.

Expected behavior

The transaction will be logged as success instead of the current error state

dsantos98 avatar Oct 15 '24 19:10 dsantos98

Thanks for raising this @dsantos98. It might be hard to investigate as I don't know how to replicate the NTLM scenario. Are you saying there is a single HTTP request resulting in a 200 status code? Where is the 401 coming from? We treat that as a failure. Can you share any code to provide more context? Can you collect Agent trace logs to share with us, as those may also help?

stevejgordon avatar Nov 11 '24 15:11 stevejgordon

Hi @stevejgordon,

There is some code where a make a HTTP request using .Net WebClient class. Here i make a request to an URL using Windows Credencials (NTLM):

Image

As we can see in the below image of Fiddler, this request generate o flow to autenticate the credencials:

Image

So the 401 response come from the windows service saying to the client that the request need user credencials:

Image

Image

Image

The transaction sample view is showing the WebClient request as an error

Image

And the span detail show that the response is a 401

Image

but this status code response is not the final

dsantos98 avatar Nov 12 '24 07:11 dsantos98

Hi @stevejgordon

Can you help me with this issue?

Regards

dsantos98 avatar Jan 07 '25 14:01 dsantos98

Sorry for the delay, @dsantos98. Other priorities are ahead of this issue, and I have been out of the office for a while. I'll be honest; this isn't something I can immediately focus on. As far as I understand, NTLM is deprecated, and WebClient is also quite legacy and rarely used. WebClient calls into HttpWebRequest, which is instrumented. The final status of the span is set based on the final HTTP status code. So if it is >400, it's flagged as an error. However, we do also tag spans when exceptions occur. I don't know how NTLM auth works, but potentially, it throws an exception somewhere when authentication is required.

Are you able to debug through the Agent code with your app to see what happens inside HttpDiagnosticListenerFullFrameworkImpl? That would highlight more about what's happening. I'm unsure how to repro this myself as I'd need to set up NTLM auth etc.

You could also look at (and ideally share) the JSON for the actual span, which you can access via Kibana. That would show the actual field values we can check to see which might be interpreted as a failure in the UI.

stevejgordon avatar Jan 28 '25 10:01 stevejgordon

Hi @stevejgordon, If you use HttpClient instead of WebClient the situation remains the same. And the span request continues to be logged as a 401 error despite the final response being a 200.

Image

Image

dsantos98 avatar Feb 04 '25 08:02 dsantos98