We are facing a problem with a customer that uses NTLM on their application. For this application CAS reports 2 Million errors, but when we drill down to see the errors we can see that 99% of them are 401 HTTP errors. By discussing this with the customer we were told that this is the normal behaviour of NTLM authentication.
NTLM authentication occurs in 3 phases, the first two phases will return 401 errors as the user is not yet authenticated, for third phase then the user authenticates and receives a 200. That's why we see a lot of 401 errors that are for my customer false positives. How should we prevent 401 from bein reported for this application?
Is there a workaround for this situation? Below are some links on this situation:
http://blogs.msdn.com/b/daniem/archive/2009/07/02/son-normales-los-errores-http-401.1-y-401.2-que-ve... (sorry this one is in Spanish, could not find this in English)
Any help would be much appreciated.
I had the same challenge a couple of years ago and it still surfaces every now and then. Sometimes people accept the errors and live with it, knowing the meaning of them. Sometimes they take it to the next level.
One of my cusotmers got rather upset when this was causing serious performance issues since the 3-step tango that MS does always incurred overhead and delays. They leaned on MS and apparently receieved a fix for it. In detail, I don't know what it was but it dropped all the legacy authentication attempts.
Basically the Windows way of doing things is start at the lowest level of security which I seem to recall was the LanMan method and then being declined and for every step you are being bumped up one level in the security chain. What happened at this customer is simply they jumped directly to the third step for all their authenitcations, so it's possible even though I'm afraid I can't help you exactly how it's done .