express-ntlm returning the wrong user

Question

I'm using express-ntlm to get the current user's windows ID in an intranet setting. It works fine most of the time, but occasionally it will return the ID of a completely different person. I'm guessing this is something to do with sessions maybe?

const ntlm = require('express-ntlm');

module.exports = app => {

  app.use(
    ntlm({
      debug: function() {
        var args = Array.prototype.slice.apply(arguments);
        console.log.apply(null, args);
      },
      domain: 'MS',
      domaincontroller: 'ldap://something.com'
    })
  );
app.post('/get-user-details/', (req, res) => {
console.log(req.ntlm.UserName); //Returns correct user most of the time, but sometimes it returns different person who open site at the same time
});

score 1 · Answer 1 · answered May 26 '19 at 13:57

1

Unfortunately NTLM authenticates connections, not sessions. Which was fine in the past, but doesn't make sense anymore, since browser tend to open multiple connections at once to speed up page loading and reverse proxies are sharing connections to the backend. That's where the problem is: Your reverse proxy will reuse already authenticated connections to the backend, and therefore mix up users. To mitigate this issue, you have to make sure your reverse proxy has NTLM support enabled.

There is still an open pull request for express-ntlm that adds a Keep-Alive property which might solve this issue, unfortunately it's widely untested and first needs to be verified.

answered May 26 '19 at 13:57

Fabio Poloni

8,219
5
44
74

Thanks for the info. Is anyone currently testing the PR? – Kieran Quinn Jun 04 '19 at 09:44
Feel free to test it and give feedback on GitHub. – Fabio Poloni Jun 05 '19 at 10:12
Done @Fabio-poloni – Kieran Quinn Jun 17 '19 at 15:19

express-ntlm returning the wrong user

1 Answers1