Hauke, NTLM problems are notoriously difficult to troubleshoot. Usually it all boils down to extensive guesswork. (1) is user name in the fully-qualified format: <domain>/<account>? If yes, use the account name only (2) do you have any 'funny' characters in the password (like German umlauts, for instance)? If yes, try using an account with plain US-ASCII password
Oleg -----Original Message----- From: Fuhrmann, Hauke [mailto:[EMAIL PROTECTED] Sent: Monday, May 03, 2004 16:11 To: '[EMAIL PROTECTED]' Subject: NTLM authentication problem Hi there, I hope you can help me with a little problem I got: I have to download a file from a MS IIS webserver which uses NTLM authentification. The only client I performed a successful download with is MS IE. But I have to use a Java client, so I tried the jakarta commons httpclient. I implemented a test class which sets the correct NTCredentials and performs the request. The source looks somehow like this: String url = "http://host/index.html"; NTCredentials creds = new NTCredentials( "username", "password", "hostname", "domain"); HttpClient client = new HttpClient(); HttpMethod method = new GetMethod(url); client.getState().setCredentials(null, null, creds); where 'username', 'password', 'hostname' and 'domain' are changed with the correct values for the server. After running int statusCode = client.executeMethod(method); I get the following logfile output: --------------------------------------- [DEBUG] HttpClient - -Java version: 1.4.2 [DEBUG] HttpClient - -Java vendor: Sun Microsystems Inc. [DEBUG] HttpClient - -Operating system name: Windows 2000 [DEBUG] HttpClient - -Operating system architecture: x86 [DEBUG] HttpClient - -Operating system version: 5.0 [DEBUG] HttpClient - -SUN 1.42: SUN (DSA key/parameter generation; DSA signing; SHA-1, MD5 digests; SecureRandom; X.509 certificates; JKS keystore; PKIX CertPathValidator; PKIX CertPathBuilder; LDAP, Collection CertStores) [DEBUG] HttpClient - -SunJSSE 1.42: Sun JSSE provider(implements RSA Signatures, PKCS12, SunX509 key/trust factories, SSLv3, TLSv1) [DEBUG] HttpClient - -SunRsaSign 1.42: SUN's provider for RSA signatures [DEBUG] HttpClient - -SunJCE 1.42: SunJCE Provider (implements DES, Triple DES, AES, Blowfish, PBE, Diffie-Hellman, HMAC-MD5, HMAC-SHA1) [DEBUG] HttpClient - -SunJGSS 1.0: Sun (Kerberos v5) [DEBUG] HttpConnection - -HttpConnection.setSoTimeout(0) [DEBUG] HttpMethodBase - -Execute loop try 1 [DEBUG] wire - ->> "GET /index.html HTTP/1.1[\r][\n]" [DEBUG] HttpMethodBase - -Adding Host request header [DEBUG] wire - ->> "User-Agent: Jakarta Commons-HttpClient/2.0final[\r][\n]" [DEBUG] wire - ->> "Host: host[\r][\n]" [DEBUG] wire - ->> "[\r][\n]" [DEBUG] wire - -<< "HTTP/1.1 401 Access Denied[\r][\n]" [DEBUG] wire - -<< "Server: Microsoft-IIS/5.0[\r][\n]" [DEBUG] wire - -<< "Date: Mon, 03 May 2004 12:47:03 GMT[\r][\n]" [DEBUG] wire - -<< "WWW-Authenticate: Negotiate[\r][\n]" [DEBUG] wire - -<< "WWW-Authenticate: NTLM[\r][\n]" [DEBUG] wire - -<< "Connection: close[\r][\n]" [DEBUG] wire - -<< "Content-Length: 24[\r][\n]" [DEBUG] wire - -<< "Content-Type: text/html[\r][\n]" [DEBUG] HttpMethodBase - -Authorization required [DEBUG] HttpAuthenticator - -Authenticating with the default authentication realm at host [DEBUG] HttpMethodBase - -HttpMethodBase.execute(): Server demanded authentication credentials, will try again. [DEBUG] wire - -<< "Error: Access is Denied." [DEBUG] HttpMethodBase - -Should close connection in response to Connection: close [DEBUG] HttpMethodBase - -Execute loop try 2 [DEBUG] HttpMethodBase - -Opening the connection. [DEBUG] wire - ->> "GET /index.html HTTP/1.1[\r][\n]" [DEBUG] HttpMethodBase - -Request to add Host header ignored: header already added [DEBUG] wire - ->> "User-Agent: Jakarta Commons-HttpClient/2.0final[\r][\n]" [DEBUG] wire - ->> "Host: host[\r][\n]" [DEBUG] wire - ->> "Authorization: NTLM TlRMTVNTUAABAAAABlIAABgAGAAoAAAACAAIACAAAABEMDE1Nzc4MkFGSVMuUk9DS1dFTExDT0x MSU5TLkNPTQ==[\r][\n]" [DEBUG] wire - ->> "[\r][\n]" [DEBUG] wire - -<< "HTTP/1.1 401 Access Denied[\r][\n]" [DEBUG] wire - -<< "Server: Microsoft-IIS/5.0[\r][\n]" [DEBUG] wire - -<< "Date: Mon, 03 May 2004 12:47:03 GMT[\r][\n]" [DEBUG] wire - -<< "WWW-Authenticate: NTLM TlRMTVNTUAACAAAABAAEADAAAAAGAoEAfy2cSecyuJ8AAAAAAAAAAI4AjgA0AAAAQUZJUwIACAB BAEYASQBTAAEACABBAE4AUwBVAAQAMABhAGYAaQBzAC4AcgBvAGMAawB3AGUAbABsAGMAbwBsAG wAaQBuAHMALgBjAG8AbQADADoAYQBuAHMAdQAuAGEAZgBpAHMALgByAG8AYwBrAHcAZQBsAGwAY wBvAGwAbABpAG4AcwAuAGMAbwBtAAAAAAA=[\r][\n]" [DEBUG] wire - -<< "Content-Length: 24[\r][\n]" [DEBUG] wire - -<< "Content-Type: text/html[\r][\n]" [DEBUG] HttpMethodBase - -Authorization required [DEBUG] HttpAuthenticator - -Authenticating with the default authentication realm at host [DEBUG] HttpMethodBase - -HttpMethodBase.execute(): Server demanded authentication credentials, will try again. [DEBUG] wire - -<< "Error: Access is Denied." [DEBUG] HttpMethodBase - -Resorting to protocol version default close connection policy [DEBUG] HttpMethodBase - -Should NOT close connection, using HTTP/1.1. [DEBUG] HttpMethodBase - -Execute loop try 3 [DEBUG] wire - ->> "GET /index.html HTTP/1.1[\r][\n]" [DEBUG] HttpMethodBase - -Request to add Host header ignored: header already added [DEBUG] wire - ->> "User-Agent: Jakarta Commons-HttpClient/2.0final[\r][\n]" [DEBUG] wire - ->> "Host: host[\r][\n]" [DEBUG] wire - ->> "Authorization: NTLM TlRMTVNTUAADAAAAGAAYAGkAAAAAAAAAgQAAABgAGABAAAAACQAJAFgAAAAIAAgAYQAAAAAAAAC BAAAABlIAAEFGSVMuUk9DS1dFTExDT0xMSU5TLkNPTVJPT1RBRE1JTkQwMTU3NzgyJGvqRAbUDM au2Xvs7/czsCLtV0s5fmPn[\r][\n]" [DEBUG] wire - ->> "[\r][\n]" [DEBUG] wire - -<< "HTTP/1.1 401 Access Denied[\r][\n]" [DEBUG] wire - -<< "Server: Microsoft-IIS/5.0[\r][\n]" [DEBUG] wire - -<< "Date: Mon, 03 May 2004 12:47:05 GMT[\r][\n]" [DEBUG] wire - -<< "WWW-Authenticate: Negotiate[\r][\n]" [DEBUG] wire - -<< "WWW-Authenticate: NTLM[\r][\n]" [DEBUG] wire - -<< "Connection: close[\r][\n]" [DEBUG] wire - -<< "Content-Length: 24[\r][\n]" [DEBUG] wire - -<< "Content-Type: text/html[\r][\n]" [DEBUG] HttpMethodBase - -Authorization required [INFO] HttpMethodBase - -Already tried to authenticate with 'null' authentication realm at ansu, but still receiving: HTTP/1.1 401 Access Denied [DEBUG] HttpMethodBase - -Buffering response body [DEBUG] wire - -<< "Error: Access is Denied." [DEBUG] HttpMethodBase - -Should close connection in response to Connection: close Error: Access is Denied. --------------------------------------------------------------------------- ---------------- So after the handshake the authentification was not successful. What went wrong? I cannot see too much in that NTLM message, but in comparison to the messages the MS IE sends they look a bit different. I logged the traffic the MS IE does and it looks like this: --------------------------------------------------------------------------- ----------------- GET /index.html HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash, */* Accept-Language: de Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; H010818) Host: host Connection: Keep-Alive Authorization: NTLM TlRMTVNTUAABAAAAB4IIoAAAAAAAAAAAAAAAAAAAAAA= HTTP/1.1 401 Access Denied Server: Microsoft-IIS/5.0 Date: Mon, 03 May 2004 12:43:27 GMT WWW-Authenticate: NTLM TlRMTVNTUAACAAAACAAIADAAAAAFgomgUZrE0tSyEkwAAAAAAAAAAI4AjgA4AAAAQQBGAEkAUwA CAAgAQQBGAEkAUwABAAgAQQBOAFMAVQAEADAAYQBmAGkAcwAuAHIAbwBjAGsAdwBlAGwAbABjAG 8AbABsAGkAbgBzAC4AYwBvAG0AAwA6AGEAbgBzAHUALgBhAGYAaQBzAC4AcgBvAGMAawB3AGUAb ABsAGMAbwBsAGwAaQBuAHMALgBjAG8AbQAAAAAA Content-Length: 24 Content-Type: text/html Error: Access is Denied. GET /index.html HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash, */* Accept-Language: de Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; H010818) Host: host Connection: Keep-Alive Authorization: NTLM TlRMTVNTUAADAAAAGAAYAJIAAAC+AL4AqgAAADAAMABAAAAAEgASAHAAAAAQABAAggAAAAAAAAB oAQAABYKIoGEAZgBpAHMALgByAG8AYwBrAHcAZQBsAGwAYwBvAGwAbABpAG4AcwAuAGMAbwBtAH IAbwBvAHQAYQBkAG0AaQBuAEQAMAAxADUANwA3ADgAMgAFd79T6lFtE0X9Kr8EzRokwS2McGRle u2ElDAdnU93j14Z3czOQSPUAQEAAAAAAAAwrDw7DDHEAcEtjHBkZXrtAAAAAAIACABBAEYASQBT AAEACABBAE4AUwBVAAQAMABhAGYAaQBzAC4AcgBvAGMAawB3AGUAbABsAGMAbwBsAGwAaQBuAHM ALgBjAG8AbQADADoAYQBuAHMAdQAuAGEAZgBpAHMALgByAG8AYwBrAHcAZQBsAGwAYwBvAGwAbA BpAG4AcwAuAGMAbwBtAAAAAAAAAAAA HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Cache-Control: no-cache Expires: Mon, 03 May 2004 12:43:27 GMT Date: Mon, 03 May 2004 12:43:27 GMT Content-Type: text/xml Accept-Ranges: bytes Last-Modified: Mon, 03 May 2004 12:43:22 GMT ETag: "90c5c38c31c41:8b0" Content-Length: 62746 [...] --------------------------------------------------------------------------- ---------- As you see the second message from the MS IE client is much longer than the second message of the jakarta httpclient. Does it submit any extra information needed by the NTLM algorithm? Is this a bug or any other setting I forgot to set? Can anybody help? Any help would be appreciated. Thanks a lot. Hauke Fuhrmann Airbus Deutschland GmbH ECYA3 - Cabin Communication Systems & Application Kreetslag 10 21129 Hamburg, Germany Phone: +49 (0) 40 743 - 88260 Mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] *************************************************************************************************** The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. *************************************************************************************************** --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]