Search code examples
angularjsspringinternet-explorerauthenticationntlm

IE sends empty POST body randomly while using NTLM authentication (using angular to Spring)

We are seeing issues with seemingly random calls that are missing the POST in IE 11. Upon further inspection the requests from the browser are including a NTLM negotiation token. We see this token on GETs too from time to time, but they are unaffected by the body problem as they don't have one. Chrome and FF do not have this problem.

Further investigation shows that if our session times out and the browser is re-authed, then we will consistently see this problem after that at around 1 - 2 minute intervals. It is my understanding that if IE "expects" a 401, then it will not include the POST body as is expects the NTLM handshake to take place again.

We have an angular app (currently mixed Angular 1 and 2, but occurred in 1 just before this). The angular app makes restful webservice calls to our Spring boot application. We are using waffle for NTLM auth

// Shiro-Waffle / Security
'com.github.dblock.waffle:waffle-parent:1.7.3',
'com.github.dblock.waffle:waffle-shiro:1.7.3',
'org.apache.shiro:shiro-core:1.2.3',
'org.apache.shiro:shiro-web:1.2.3',

https://blogs.msdn.microsoft.com/ieinternals/2010/11/21/challenge-response-authentication-and-zero-length-posts/

I have one crappy workaround that I will post below as an answer, but I do not like it at all.

Solution

  • Ok, I found a registry hack for this. Basically IE proactively sends NTLM credentials without a 401 from the server. When sending "pre auth" IE will omit the POST body (if the request was a POST.) If the session was already valid and the server already has you authorized, it lets the request through without a body and will cause an error on the server (assuming the body is required for your POST.)

    So a normal NTLM negotiation would look like

    • request from client (with POST body) -> server returns 401 with www-authenticate:negotiate, www-authenticate:NTLM
    • client sends additional request with NTLM token (w/o post body) -> server returns 401 with server NTLM token
    • Client sends 3rd request with session (with POST body) and server returns 200

    With this optimization

    • client expects 401 and sends NTLM token (w/o body) -> server returns 401 with server token
    • Client sends 2nd request with session (with body) -> server returns 200

    Problem occurs

    • Client expects 401 and sends NTLM token (w/o body) -> server processes request and received internal error (probably 500)

    Registry entry to add that prevents this "optimization"

    HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Internet Settings/ 
Add the following registry value: 
Value Name: DisableNTLMPreAuth
Data Type: REG_DWORD
Value: 1

    Or Save these entries to a .reg file on your machine and double click on it

    Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\]
"DisableNTLMPreauth"=dword:00000001

    I am not sure why IE thinks it has to re-auth, but from extensive testing it looks like once IE has a session timeout or the session is invalidated and it gets a 401 back from the server, it wants to re-auth every 1-2 minutes after that. This could have something to do with what URL you are at at time of authentication as you may not be at the root. The first link I provided talks a lot about IE's pickiness of URLs and how it guesses what should be authorized and what should not based on pathing.

    Related articles:

    Zero Length POSTS

    NTLM Pre-Auth

    NTLM Pre-Auth

    NTLM Pre-Auth jcifs