[BUG] NTLM negotiation logged as ERROR

[dsantos98]

APM Agent version

1.30.0

Environment

Windows
.NET Framework 4.8 WebApp

Describe the bug

The situation I came across is when my web application receives a request and that request triggers a request/transaction using HttpWebRequest (System.Net) with NTLM authentication.
This transaction is logged as an error (401) which is the NTLM negotiation response despite the transaction actually giving 200.

Expected behavior

The transaction will be logged as success instead of the current error state

[stevejgordon]

Thanks for raising this @dsantos98. It might be hard to investigate as I don't know how to replicate the NTLM scenario. Are you saying there is a single HTTP request resulting in a 200 status code? Where is the 401 coming from? We treat that as a failure. Can you share any code to provide more context? Can you collect Agent trace logs to share with us, as those may also help?

[dsantos98]

Hi @stevejgordon,

There is some code where a make a HTTP request using .Net WebClient class. Here i make a request to an URL using Windows Credencials (NTLM):

As we can see in the below image of Fiddler, this request generate o flow to autenticate the credencials:

So the 401 response come from the windows service saying to the client that the request need user credencials:

The transaction sample view is showing the WebClient request as an error

And the span detail show that the response is a 401

but this status code response is not the final

[dsantos98]

Hi @stevejgordon

Can you help me with this issue?

Regards

[stevejgordon]

Sorry for the delay, @dsantos98. Other priorities are ahead of this issue, and I have been out of the office for a while. I'll be honest; this isn't something I can immediately focus on. As far as I understand, NTLM is deprecated, and WebClient is also quite legacy and rarely used. WebClient calls into HttpWebRequest, which is instrumented. The final status of the span is set based on the final HTTP status code. So if it is >400, it's flagged as an error. However, we do also tag spans when exceptions occur. I don't know how NTLM auth works, but potentially, it throws an exception somewhere when authentication is required.

Are you able to debug through the Agent code with your app to see what happens inside HttpDiagnosticListenerFullFrameworkImpl? That would highlight more about what's happening. I'm unsure how to repro this myself as I'd need to set up NTLM auth etc.

You could also look at (and ideally share) the JSON for the actual span, which you can access via Kibana. That would show the actual field values we can check to see which might be interpreted as a failure in the UI.

[dsantos98]

Hi @stevejgordon,
If you use HttpClient instead of WebClient the situation remains the same. And the span request continues to be logged as a 401 error despite the final response being a 200.