cyberduck icon indicating copy to clipboard operation
cyberduck copied to clipboard

Published 20 hours ago verified publisher icon iterate-ch

Unexpected 401 when using SharePoint WebDav NTLM authentication

Open AliveDevil opened this issue 2 years ago • 3 comments

With multiple connections opened for transferring items, there is a concurrency issue with the NTLM authentication state shared in the shared request context.

IMPORTANT: Please note HTTP context implementation, even when thread safe, may not be used concurrently by multiple threads, as the context may contain thread unsafe attributes.

HttpContext (Apache HttpComponents Core HTTP/1.1 5.2.2 API)

  1. SardineImpl uses singular cached HttpContext for all requests^1
  2. Only one DavClient extends SardineImpl is used for all Dav requests^2
  3. SardineImpl uses a request local HttpClientContext^3
  4. But at the same time uses a broad-scoped AuthState-cache ^4 which is the underlying issue: One AuthState-cache for all request going out. This would need to be configurable or request local scoped, instead of global.

AliveDevil avatar Sep 19 '23 08:09 AliveDevil

Previously in ^1 with follow up in ^2

dkocher avatar Sep 19 '23 21:09 dkocher

Oh … that's why there's a user token. That explains some things, but not all of them.

AliveDevil avatar Sep 20 '23 07:09 AliveDevil

The specific issue with NTLM authentication is that connections are stateful indicated by the Persistent-Auth: true response header.

The NTLM authentication scheme is significantly more expensive in terms of computational overhead and performance impact than the standard Basic and Digest schemes. This is likely to be one of the main reasons why Microsoft chose to make NTLM authentication scheme stateful. That is, once authenticated, the user identity is associated with that connection for its entire life span. The stateful nature of NTLM connections makes connection persistence more complex, as for the obvious reason persistent NTLM connections may not be re-used by users with a different user identity. The standard connection managers shipped with HttpClient are fully capable of managing stateful connections

Disabling connection reuse ^1 will immediately show a 401 response.

dkocher avatar Sep 29 '23 12:09 dkocher

~~Documentation to be updated with iterate-ch/docs#518 until a resolution is found.~~

dkocher avatar Apr 11 '24 07:04 dkocher

Is there any expected timeframe for fixing this error?

DmitryDemidov avatar Apr 22 '24 11:04 DmitryDemidov

The authentication cache in the client context is only populated for the BASIC authentication scheme ^1.

dkocher avatar Apr 23 '24 12:04 dkocher

Is there any expected timeframe for fixing this error?

We plan to include a fix in upcoming 8.9.0.

dkocher avatar Apr 24 '24 14:04 dkocher

Is there any expected timeframe for fixing this error?

We plan to include a fix in upcoming 8.9.0.

Thanks!

DmitryDemidov avatar Apr 24 '24 14:04 DmitryDemidov