From e5d5ae9ab72ca41d40aa9a4dbc15722fd4101834 Mon Sep 17 00:00:00 2001
From: georne <77802995+georne@users.noreply.github.com>
Date: Sat, 6 Feb 2021 15:50:53 +0100
Subject: [PATCH] webdav: disable HTTP/2 for NTLM authentication (#2921)

As per Microsoft documentation, Windows authentication
(NTLM/Kerberos/Negotiate) is not supported with HTTP/2.
This patch disables transparent HTTP/2 support when the
vendor setting is "sharepoint-ntlm". Otherwise connections
to IIS/10.0 can fail with HTTP_1_1_REQUIRED.

Co-authored-by: Georg Neugschwandtner <georg.neugschwandtner@gmx.net>
---
 backend/webdav/webdav.go | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/backend/webdav/webdav.go b/backend/webdav/webdav.go
index 631ed110a..b6666582f 100644
--- a/backend/webdav/webdav.go
+++ b/backend/webdav/webdav.go
@@ -10,6 +10,7 @@ package webdav
 import (
 	"bytes"
 	"context"
+	"crypto/tls"
 	"encoding/xml"
 	"fmt"
 	"io"
@@ -337,8 +338,15 @@ func NewFs(ctx context.Context, name, root string, m configmap.Mapper) (fs.Fs, e
 
 	client := fshttp.NewClient(ctx)
 	if opt.Vendor == "sharepoint-ntlm" {
+		// Disable transparent HTTP/2 support as per https://golang.org/pkg/net/http/ ,
+		// otherwise any connection to IIS 10.0 fails with 'stream error: stream ID 39; HTTP_1_1_REQUIRED'
+		// https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-10/http2-on-iis says:
+		// 'Windows authentication (NTLM/Kerberos/Negotiate) is not supported with HTTP/2.'
+		t := fshttp.NewTransportCustom(ctx, func(t *http.Transport) {
+			t.TLSNextProto = map[string]func(string, *tls.Conn) http.RoundTripper{}
+		})
 		// Add NTLM layer
-		client.Transport = ntlmssp.Negotiator{RoundTripper: client.Transport}
+		client.Transport = ntlmssp.Negotiator{RoundTripper: t}
 	}
 	f := &Fs{
 		name:        name,