Issues with concurrent NTLM authentication when YARP uses SocketsHttpHandler #2948
Unanswered
hamelpierreluc
asked this question in
Q&A
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Hello,
I’m using YARP as a reverse proxy in front of an internal API that requires Windows Authentication (NTLM).
When my web application directly calls the API using HttpClientHandler (with UseDefaultCredentials = true), concurrent requests (e.g., 10 simultaneous uploads) are handled correctly. The Windows native stack seems to manage the NTLM handshake across multiple requests without issues.
However, when the same calls go through YARP (which uses SocketsHttpHandler by default), I sometimes see multiple parallel NTLM negotiations, resulting in several 401 Unauthorized responses and, in rare cases, failed requests.
My understanding is that this difference comes from NTLM being connection-based, and SocketsHttpHandler not serializing the initial handshake the same way as HttpClientHandler.
Questions:
Is there a supported way in YARP to configure HttpClientHandler instead of SocketsHttpHandler for outbound requests?
(I tried using .ConfigureHttpMessageHandler, but it seems tightly coupled to SocketsHttpHandler).
If not, is there a recommended workaround to avoid these concurrent NTLM negotiation issues (e.g., limiting MaxConnectionsPerServer, custom connection pooling, etc.)?
Is this a known limitation of SocketsHttpHandler with NTLM, and are there plans to align its behavior with the native HttpClientHandler for Windows Authentication scenarios?
Beta Was this translation helpful? Give feedback.
All reactions