Firefox's Connection:close Behavior in SAML SP / NTLM Authentication Environment
Hello everyone, We are currently investigating an issue where browsers are sending HTTP requests with Connection: close in the header during integrated Windows authentica… (прочетете още)
Hello everyone,
We are currently investigating an issue where browsers are sending HTTP requests with Connection: close in the header during integrated Windows authentication (NTLM authentication) via SAML Service Provider (SP), leading to premature termination of the TCP connection.
This behavior occurs in the middle of the authentication process, preventing the NTLM authentication from completing and subsequently prompting for re-authentication.
We have observed the following browser behaviors:
Chrome and Edge: These browsers function without issues, communicating with Connection: keep-alive. Safari (macOS): Older versions of macOS with Safari exhibit the Connection: close behavior, leading to authentication failure. Newer versions of macOS with Safari work correctly with Connection: keep-alive. Firefox (macOS): Even on the latest versions of macOS, Firefox continues to attach Connection: close, resulting in authentication failure. Upon reviewing logs, we've identified that various browsers attach the Connection: close header during the NTLMSSP_NEGOTIATE request in the NTLM authentication sequence. Although this happens in an environment with a load balancer, we have confirmed that the load balancer is not modifying the header; rather, the client (browser) is adding it.
We would appreciate your insights into the conditions under which Firefox attaches Connection: close to HTTP requests, especially considering the differences across macOS versions and other browsers, addressing the following points:
Are there any known conditions or past cases where Firefox outputs Connection: close in an NTLM authentication environment via SAML SP? Given that older Safari versions show similar behavior, we are also considering if there's a common factor depending on NTLM authentication and browser version. What are the general heuristics, logic, or triggers for a browser to decide to "close" a connection or to attach Connection: close? We are particularly interested in cases that occur mid-authentication process. Could specific configurations (e.g., the combination of SAML and NTLM authentication, or the presence of an intermediate proxy/load balancer) potentially influence Firefox's Connection: close behavior? Are there any additional logs or debugging information we should collect from the Firefox client side to further pinpoint this issue? Any guidance or suggestions you could provide to help us resolve this problem would be greatly appreciated.
Thank you.