OK, that’s super clear. Thanks.
In my experience your “working Scenario” is how NTLM typically works for Apple clients. Due to the architectural mismatch between NTLM and HTTP, we end up establishing redundant connections rather than authenticating the connection that’s already in place.
Pasted in below is an explanation of why NTLM is on ongoing source of pain on our platforms. If you have any control over the server, I strongly encourage you to use something else.
Notwithstanding that, NTLM does normally work, so I’m surprised you’re hitting a problem in a straightforward case like this. Have you tried setting the
persistence
parameter to
.forSession
?
Also, what version of iOS was used for these scenarios? Have you tested any others?
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"
NTLM authentication does not follow the architecture for HTTP authentication schemes outlined in RFC 7235. Specifically, NTLM authenticates connections, not requests. This causes numerous problems:
NTLM authentication is fundamentally incompatible with HTTP/2 because HTTP/2 uses one connection for multiple requests.
NTLM authentication is an ongoing source of problems on Apple platforms because our HTTP stack was designed around the RFC 7235 architecture. Some of these problems are just bugs that need to be fixed, but others are more fundamental. For example, in many cases NSURLSession will end up creating extra connections just to deal with NTLM’s unusual requirements.
NTLM authentication is less efficient than standard HTTP authentication. Specifically, every new NTLM connection requires 2 extra round trips to the server, whereas with standard HTTP authentication those round trips can often be skipped.
If the server you’re talking to supports an RFC 7235 compliant authentication scheme (typically Basic or Digest), or you have control over the server and can enable such a scheme, I strongly recommend you use a standard scheme rather than continuing with NTLM.