2 files changed, 11 insertions, 8 deletions

diff --git a/libsoup/soup-auth-ntlm.c b/libsoup/soup-auth-ntlm.c
index ddb6b2ed..926fd4a8 100644
--- a/libsoup/soup-auth-ntlm.c
+++ b/libsoup/soup-auth-ntlm.c
@@ -303,12 +303,15 @@ soup_auth_ntlm_update_connection (SoupConnectionAuth *auth, SoupMessage *msg,
 	if (conn->state > SOUP_NTLM_SENT_REQUEST) {
 		if (priv->password_state == SOUP_NTLM_PASSWORD_ACCEPTED) {
 			/* We know our password is correct, so a 401
-			 * means "permission denied". Since the conn
-			 * state is now FAILED, the auth is no longer
-			 * is_ready() for this message, so this will
-			 * cause a "retrying" authenticate signal.
+			 * means "permission denied". The code can't deal
+			 * with re-authenticating correctly, so make sure
+			 * we don't try.
 			 */
 			conn->state = SOUP_NTLM_FAILED;
+			if (soup_message_is_keepalive (msg)) {
+				soup_message_headers_append (msg->response_headers,
+							     "Connection", "close");
+			}
 			return TRUE;
 		}
 
diff --git a/tests/ntlm-test.c b/tests/ntlm-test.c
index a0e02ab4..11d40c3a 100644
--- a/tests/ntlm-test.c
+++ b/tests/ntlm-test.c
@@ -456,12 +456,12 @@ do_ntlm_round (SoupURI *base_uri, gboolean use_ntlm,
 		    SOUP_STATUS_UNAUTHORIZED);
 
 	/* 8. Server accepts Basic or NTLM from either user.
-	 * Alice-via-NTLM is still authenticated at this point from #6,
-	 * and Bob-via-NTLM is authenticated from #7, so neither
-	 * of them will do anything.
+	 * NTLM users will try NTLM without getting a prompt (their
+	 * previous NTLM connections will have been closed by the 401
+	 * from /basic). Non-NTLM users will be prompted for either.
 	 */
 	do_message (session, base_uri, "/either",
-		    !use_ntlm, FALSE,
+		    !use_ntlm, use_ntlm,
 		    !use_ntlm, !use_ntlm && user != NULL,
 		    user != NULL ? SOUP_STATUS_OK :
 		    SOUP_STATUS_UNAUTHORIZED);