-
Notifications
You must be signed in to change notification settings - Fork 129
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Concurrency issue with winrm NTLM - http response error: 401 - invalid content type #142
Comments
I'm not seeing anything in the NTLM code that was just added that would cause concurrency issues. I don't have a setup allowing me to test concurrent access, so you'll have to help me troubleshoot the problem. |
Yes, I am able to reproduce the issue.
Initial investigation shows that the call in "CreateShell" to "response, err
:= c.sendRequest(request)" is returning a 401
- will investigate further
|
I have traced the code to Line 115 in 807053a
and then the code in github.com/bodgit/ntlmssp it actually makes it through to then end, but a 401 is returned I have put a mutex around the Do call as a test and same results. The only way I can make it work is by limiting the concurrent access to your "execute" method for the same IP.
|
Is there anything in the body or headers returned with the 401 response? |
@masterzen When I try to make multiple connection ( concurrently without NTLM using normal Winrm ) on same windows machine, I am able to do so. But when I try to make multiple connection with same windows machine using NTLM with winrm I am not able to make connection. I have also tried to use 5 or fewer goroutine, But still it won't connect. Infact I have tried to use 2 goroutine but the result is still same. I think it is definitely concurrency issue. |
@CalypsoSys If mutex is put on Do method then code will not execute concurretly instead every request will wait for the mutex to release . And mine requirement is to execute multiple command at a time on same machine. When I am trying to make multiple connection on same device with normal Winrm ( Not using NTLM ) I am able to do so. I that case it is working fine and there is no issue of concurreny. |
@NikunjPatel31 - new information from @bodgit - trying those now see bodgit/ntlmssp#51 The mutex statement was more around what I was trying to figure out where the issue was, not as a solution. |
@CalypsoSys I have tried this solution. Below is the code with changes. But this code still doesn't work. Still it gives the same error. I have made this changes in Encryption.go file.
I have also tried the below code with cleanhttp.DefaultPooledClient() instead of http.Client
|
I'll have a deeper look later, but my understanding is that NTLM authenticates TCP connections and not HTTP request. Since encryption is dependent on the authentication, it is not possible to reuse a TCP connection for different underlying shells/commands because it would break the encryption scheme (especially during the challenge/response). |
I'm seeing this in some logs:
I think I accidentally ran tests against the whole go package dir on github runner. Nevermind, it should only affect tests and there's an issue at Azure/go-ntlmssp#40 |
Did this issue got fixed? |
I also meet this , any solution? |
When I am trying to connect to windows machine using NTLM authentication concurrently ( using go routine ), winrm behaves randomely ( most of time it gives error ).
Here I am trying to connect on same IP Address concurrently. But when I try to connect on same IP address ( one by one using loop ) it works properly.
Error that I am getting ( durring concurrent connection ) is as follow :-
I have also ensured that winrm and NTLM both are enabled on machine.
I am using latest merged code of @CalypsoSys for NTLM.
Below is the code :-
The text was updated successfully, but these errors were encountered: