Github user michael-o commented on the issue:
https://github.com/apache/httpcomponents-client/pull/66
@semancik
> E.g. if you need device that is not part of the domain to access WinRM
service. That is often the case for monitoring or management infrastructure
(such as IDM).
Agreed, but the user account has to be in the Active Directory otherwise
even NTLM won't work.
> As for the disagreement: the original NTLM "engine" in HTTP client was
stateless. I guess that it was stateless because it was only partial
implementation done long before Microsoft opened up the specifications. The
implementation was a simple 3-message exchange which was not that hard to
implement in a stateless way. However, CredSSP needs full NTLM implementation
with wrapping (a.k.a. "encryption") capability. Therefore I have implemented
it. In a stateful way, which was quite an obvious choice. But my contribution
was re-engineered to stateless implementation once again. Without any
explanation. That was the point that I have decided that the cooperation won't
work.
That's pretty sad. I have checked the entire discussion and it was changed
back and forth, but NTLM must be stateful. Everything does not make sense to me.
> I needed CredSSP to take precedence over NTLM during auth negotiation.
And I needed updated NTLM implementation (as explained above).
That's partially true. What you can do is have the NTLM engine updated and
keep the CredSSP for youself why settting and auth scheme registry. This would
have solved your problem.
The PR itself wan't just granular enough, I have have rejected it too and
requested to spilt in several ones as I do for all Maven PRs.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
