Thanks Oleg. We were looking some more for clarification on Jakarta http-client's known limitations and problems section (please see below). Microsoft has recently helped us with a customer issue involving http connectivity and they claim that Jakarta http client only supports Lan Manager authentication which a more primitive version of NTML. We wanted to get confirmation from you that indeed this is the case, but if you are not able to answer, we would take Microsoft’s statement.
*Cannot authenticate with Microsoft IIS using NTLM authentication scheme* NT Lan Manager (NTLM) authentication is a proprietary, closed challenge/response authentication protocol for Microsoft Windows. Only some details about NTLM protocol are available through reverse engineering. HttpClient provides limited support for what is known as NTLMv1, the early version of the NTLM protocol. Please let us know of your thoughts. Thanks Yashwant On Wed, May 6, 2009 at 11:36 AM, Oleg Kalnichevski <[email protected]> wrote: > yoga p wrote: > >> Hi Oleg, >> >> Thanks for you suggestion. >> >> So it seems that httpclient-3.0-rc2 does not support NTLM v1 completely. >> To >> make it work, 'Network security: Do not store LAN Manager Hash value on >> next >> password change.' setting needs to be disabled which indicates that >> httpclient-3.0-rc2 works fine with earlier version of NTLM v1 which I >> assume >> is LAN Manager (LM). *Is this correct?* >> >> > How I am supposed to know? NTLM is a proprietary authentication scheme, > which until recently did not have any publicly available documentation at > all. If you are a Microsoft paying customer consider contacting Microsoft > official support channels. > > Also, I looked at the guide (url you sent me) and found out that >> httpclient-4.0 does not support NTLM out of the box due to legal >> (licensing) >> issues. But if required, end user can use some 3rd party NTLM >> implementation >> and use it in httpclient-4.0. >> Please advise. >> >> > Generally my advice is to NOT use NTLM. You'll be much better off in terms > of security with SSL + Basic authentication. > > Oleg > > > Thanks again for your help. >> >> Mr. Yoga >> On Wed, May 6, 2009 at 10:12 AM, Oleg Kalnichevski <[email protected]> >> wrote: >> >> On Wed, May 06, 2009 at 09:36:30AM -0700, yoga p wrote: >>> >>>> Hi, >>>> >>>> We are using HttpClient (commons-httpclient-3.0-rc2.jar) for NTLM >>>> Authentication and currently facing issues when the following security >>>> settings in Windows Server 2003 or (win xp) is enabled: >>>> Control Panel -> Administrative Tools -> Domain Security Policy -> Local >>>> Policies -> Security Options -> Network security: Do not store LAN >>>> >>> Manager >>> >>>> Hash value on next password change. >>>> Click Enabled and then click OK. >>>> After setting this property, NTLM authentication fails with following >>>> >>> error: >>> >>>> HTTP Error 401.1 - Unauthorized: Access is denied due to invalid >>>> credentials. >>>> Has anyone faced similar issue? If so, is there any possible work around >>>> other than disabling above setting? >>>> Also, does it mean that httpclient not supporting NTLM v1? >>>> In the authentication guide of httpclient ( >>>> http://hc.apache.org/httpclient-3.x/authentication.html), under known >>>> limitations and problems, it is mentioned that "HttpClient provides >>>> >>> limited >>> >>>> support for what is known as NTLMv1, the early version of the NTLM >>>> protocol." Does anybody know what is the early version of the NTLM >>>> >>> protocol? >>> >>>> Thanks in advance. >>>> >>>> Mr. Yoga >>>> >>> Your only option is upgrading to HttpClient 4.0 and following this guide: >>> >>> http://hc.apache.org/httpcomponents-client/ntlm.html >>> >>> Oleg >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: [email protected] >>> For additional commands, e-mail: [email protected] >>> >>> >>> >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
