Fiddler only sends Session-Based-Authentication header

Fiddler only sends Session-Based-Authentication header when NTLM is the first WWW-Authenticate header

Observing session based authentication such as NTLM only works when the first WWW-Authenticate header in the 401 response is either either NTLM or Negotiate. For example, if I set up my server to send the headers in the following order:

WWW-Authenticate: NTLM
WWW-Authenticate: Bearer

Then the Proxy-Support: Session-Based-Authentication header is added by Fiddler and NTLM authentication succeeds. If I instead reorder them:

WWW-Authenticate: Bearer
WWW-Authenticate: NTLM

In this case the Proxy-Support: Session-Based-Authentication header is not added by Fiddler. If the client only supports NTLM and not bearer authentication, then the connection will fail unexpectedly.

In conclusion: It looks like fiddler is checking only the first WWW-Authenticate header when deciding whether or not to send Proxy-Support: Session-Based-Authentication. It should be checking all of the WWW-Authenticate headers.

Guest
Feb 5 2018
Under review

Bug

Comments (1)
Votes (2)

Attach files

Enter a subject

Eric Lawrence commented

February 07, 2018 23:03

Yup, that's probably the case.

Attachments Open full size

Fiddler Ideas

The free web debugging proxy for any browser, system or platform.

Fiddler only sends Session-Based-Authentication header when NTLM is the first WWW-Authenticate header

Related ideas

Fiddler only sends Session-Based-Authentication header when NTLM is the first WWW-Authenticate header

Identify yourself with your email address

Related ideas