NTLM Auth only performed on initial request

[alarmschaben]

Perhaps related with #8

I'm trying to get some monitoring data out of a Citrix Delivery Controller with an OData interface.

The initial instantiation goes well:

conn = OData::Service.open('http://citrixdlc/Citrix/Monitor/OData/v1/Data', {
    name: 'ODataDemo',
    typhoeus: {
        username: 'user',
        password: 'pass',
        httpauth: :ntlm
    }
})

TShark trace:

  1   0.000000   10.255.8.8 -> 10.252.7.110 TCP 76 54545 > http [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=3650992 TSecr=0 WS=128
  2   0.108825 10.252.7.110 -> 10.255.8.8   TCP 76 http > 54545 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1308 WS=256 SACK_PERM=1 TSval=12369861 TSecr=3650992
  3   0.108866   10.255.8.8 -> 10.252.7.110 TCP 68 54545 > http [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=3651019 TSecr=12369861
  4   0.109200   10.255.8.8 -> 10.252.7.110 HTTP 292 GET /Citrix/Monitor/OData/v1/Data/$metadata HTTP/1.1 , NTLMSSP_NEGOTIATE
  5   0.135973 10.252.7.110 -> 10.255.8.8   HTTP 469 HTTP/1.1 401 Unauthorized , NTLMSSP_CHALLENGE
  6   0.136007   10.255.8.8 -> 10.252.7.110 TCP 68 54545 > http [ACK] Seq=225 Ack=402 Win=30336 Len=0 TSval=3651026 TSecr=12369864
  7   0.137134   10.255.8.8 -> 10.252.7.110 HTTP 420 GET /Citrix/Monitor/OData/v1/Data/$metadata HTTP/1.1 , NTLMSSP_AUTH, User: \user
  8   0.194841 10.252.7.110 -> 10.255.8.8   TCP 1364 [TCP segment of a reassembled PDU]
[...]
 45   0.258720 10.252.7.110 -> 10.255.8.8   HTTP/XML 496 HTTP/1.1 200 OK 
 46   0.258729   10.255.8.8 -> 10.252.7.110 TCP 68 54545 > http [ACK] Seq=577 Ack=33230 Win=105344 Len=0 TSval=3651056 TSecr=12369876

But subsequent queries like

catalog = conn['Catalogs']

catalog.each do |m|
    pp m['Id']
end

are sent without indicating the willingness to authenticate:

46  47   3.263014   10.255.8.8 -> 10.252.7.110 HTTP 254 GET /Citrix/Monitor/OData/v1/Data/Catalogs?$inlinecount=allpages&$top=5 HTTP/1.1 
47  48   3.294559 10.252.7.110 -> 10.255.8.8   HTTP 237 HTTP/1.1 401 Unauthorized 

repeating the same query works again.

[alarmschaben]

I believe the problem is that the server expects each query to be authenticated while the underlying HTTP library only authenticates upon initial opening of the HTTP session.

After the initial request, the session is kept open an the subsequent query fails. On that occassion, the server closes the connection and a new one is opened by the HTTP library, authenticating itself again to the server, thus receiving a valid response.