From 33e43985b8f3b9e66691d06e70be0395849856cd Mon Sep 17 00:00:00 2001
From: Stefan Eissing <stefan@eissing.org>
Date: Thu, 2 Apr 2026 11:33:39 +0200
Subject: [PATCH] url: improve connection reuse on negotiate

Check state of negotiate to allow proper connection reuse.

Closes #21203
---
 lib/url.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/lib/url.c b/lib/url.c
index c377f0733b..c61c89c39d 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -1085,11 +1085,17 @@ static bool url_match_auth_ntlm(struct connectdata *conn,
   if(m->want_ntlm_http) {
     if(Curl_timestrcmp(m->needle->user, conn->user) ||
        Curl_timestrcmp(m->needle->passwd, conn->passwd)) {
-
       /* we prefer a credential match, but this is at least a connection
-         that can be reused and "upgraded" to NTLM */
-      if(conn->http_ntlm_state == NTLMSTATE_NONE)
+         that can be reused and "upgraded" to NTLM if it does
+         not have any auth ongoing. */
+#ifdef USE_SPNEGO
+      if((conn->http_ntlm_state == NTLMSTATE_NONE)
+         && (conn->http_negotiate_state == GSS_AUTHNONE)) {
+#else
+      if(conn->http_ntlm_state == NTLMSTATE_NONE) {
+#endif
         m->found = conn;
+      }
       return FALSE;
     }
   }