On Wed, May 06, 2009 at 05:53:19PM -0700, yoga p wrote: > Thanks Oleg. > > We were looking some more for clarification on Jakarta http-client's known > limitations and problems section (please see below). Microsoft has recently > helped us with a customer issue involving http connectivity and they claim > that Jakarta http client only supports Lan Manager authentication which a > more primitive version of NTML. We wanted to get confirmation from you that > indeed this is the case, but if you are not able to answer, we would take > Microsoft?s statement. > > *Cannot authenticate with Microsoft IIS using NTLM authentication scheme* > NT Lan Manager (NTLM) authentication is a proprietary, closed > challenge/response authentication protocol for Microsoft Windows. Only some > details about NTLM protocol are available through reverse engineering. > HttpClient provides limited support for what is known as NTLMv1, the early > version of the NTLM protocol. > > Please let us know of your thoughts. > > Thanks > Yashwant >
Yashwant, The NTLM code in HttpClient 3.x is based on a reverse engineered and therefore likely inconsistent and incomplete specification. There is no way of telling exactly what aspects of NTLMv1 it implements and to what extent. This is precisely a major reason for HttpClient 4.0 reliance of an external NTLM library maintained by people who probably have the best knowledge about Microsoft network protocols barring Microsoft itself. Oleg > On Wed, May 6, 2009 at 11:36 AM, Oleg Kalnichevski <[email protected]> wrote: > > > yoga p wrote: > > > >> Hi Oleg, > >> > >> Thanks for you suggestion. > >> > >> So it seems that httpclient-3.0-rc2 does not support NTLM v1 completely. > >> To > >> make it work, 'Network security: Do not store LAN Manager Hash value on > >> next > >> password change.' setting needs to be disabled which indicates that > >> httpclient-3.0-rc2 works fine with earlier version of NTLM v1 which I > >> assume > >> is LAN Manager (LM). *Is this correct?* > >> > >> > > How I am supposed to know? NTLM is a proprietary authentication scheme, > > which until recently did not have any publicly available documentation at > > all. If you are a Microsoft paying customer consider contacting Microsoft > > official support channels. > > > > Also, I looked at the guide (url you sent me) and found out that > >> httpclient-4.0 does not support NTLM out of the box due to legal > >> (licensing) > >> issues. But if required, end user can use some 3rd party NTLM > >> implementation > >> and use it in httpclient-4.0. > >> Please advise. > >> > >> > > Generally my advice is to NOT use NTLM. You'll be much better off in terms > > of security with SSL + Basic authentication. > > > > Oleg > > > > > > Thanks again for your help. > >> > >> Mr. Yoga > >> On Wed, May 6, 2009 at 10:12 AM, Oleg Kalnichevski <[email protected]> > >> wrote: > >> > >> On Wed, May 06, 2009 at 09:36:30AM -0700, yoga p wrote: > >>> > >>>> Hi, > >>>> > >>>> We are using HttpClient (commons-httpclient-3.0-rc2.jar) for NTLM > >>>> Authentication and currently facing issues when the following security > >>>> settings in Windows Server 2003 or (win xp) is enabled: > >>>> Control Panel -> Administrative Tools -> Domain Security Policy -> Local > >>>> Policies -> Security Options -> Network security: Do not store LAN > >>>> > >>> Manager > >>> > >>>> Hash value on next password change. > >>>> Click Enabled and then click OK. > >>>> After setting this property, NTLM authentication fails with following > >>>> > >>> error: > >>> > >>>> HTTP Error 401.1 - Unauthorized: Access is denied due to invalid > >>>> credentials. > >>>> Has anyone faced similar issue? If so, is there any possible work around > >>>> other than disabling above setting? > >>>> Also, does it mean that httpclient not supporting NTLM v1? > >>>> In the authentication guide of httpclient ( > >>>> http://hc.apache.org/httpclient-3.x/authentication.html), under known > >>>> limitations and problems, it is mentioned that "HttpClient provides > >>>> > >>> limited > >>> > >>>> support for what is known as NTLMv1, the early version of the NTLM > >>>> protocol." Does anybody know what is the early version of the NTLM > >>>> > >>> protocol? > >>> > >>>> Thanks in advance. > >>>> > >>>> Mr. Yoga > >>>> > >>> Your only option is upgrading to HttpClient 4.0 and following this guide: > >>> > >>> http://hc.apache.org/httpcomponents-client/ntlm.html > >>> > >>> Oleg > >>> > >>> --------------------------------------------------------------------- > >>> To unsubscribe, e-mail: [email protected] > >>> For additional commands, e-mail: [email protected] > >>> > >>> > >>> > >> > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
