Fiddler Ideas

The free web debugging proxy for any browser, system or platform.

Fiddler only sends Session-Based-Authentication header when NTLM is the first WWW-Authenticate header

Observing session based authentication such as NTLM only works when the first WWW-Authenticate header in the 401 response is either either NTLM or Negotiate. For example, if I set up my server to send the headers in the following order:

WWW-Authenticate: NTLM
WWW-Authenticate: Bearer

Then the Proxy-Support: Session-Based-Authentication header is added by Fiddler and NTLM authentication succeeds. If I instead reorder them:

WWW-Authenticate: Bearer
WWW-Authenticate: NTLM

In this case the Proxy-Support: Session-Based-Authentication header is not added by Fiddler. If the client only supports NTLM and not bearer authentication, then the connection will fail unexpectedly.


In conclusion: It looks like fiddler is checking only the first WWW-Authenticate header when deciding whether or not to send Proxy-Support: Session-Based-Authentication. It should be checking all of the WWW-Authenticate headers.

  • Guest
  • Feb 5 2018
  • Under review
  • Attach files
  • Eric Lawrence commented
    7 Feb, 2018 11:03pm

    Yup, that's probably the case.