NTLM Authentication and Swagger - Unable to invoke service (401 Unauthorized)

Hello everyone,

we are exposing a set of REST endpoint with NTLM authentication enabled. All these services are also described through Swagger, giving the developers a nice and easy tool to test them.

I have set up the swagger definition to include the specific security definitions, allowing the authentication on each specific service. When a user tries to invoke one of the service, the portal correctly highlights the need for authentication ( a red warning next to the operation). Through the portal popup it is possible to input the NTLM token to authentication. (as in the attached picture) 

However, when testing the service this fails...

The CORS protection has a preflight OPTIONS request that does not allow to include custom headers into it, and this result in a 401 Unauthorized error.

Option1: 

Looking around seems like there could be a workaround of allowing all options requests and including the Access-Control-Allow-Credentials header (it does not seems to be included at the moment).

I'm not sure this is something could be solved through a configuration within Neuron .. do you have any thoughts or idea?

Option2: 

What about disabling the authentication for a specific deployment group (ex. TEST )? I ave tried setting an empty ACL through binding, but this does not disable the Security Model. What about making the Security Model configurable through property?

Thank you very much

Regards

Fabrizio