Re: SPNEGO and NTLMv2

[Pedro Saraiva]

Hi Oleg,

Here's the session log from the code I posted earlier:
executing request: GET /services/files/ HTTP/1.1
to target: http://172.27.192.171:8080
2012/06/05 15:13:53:580 WEST [DEBUG] BasicClientConnectionManager - Get 
connection for route {}->http://172.27.192.171:8080
2012/06/05 15:13:53:604 WEST [DEBUG] DefaultClientConnectionOperator - 
Connecting to 172.27.192.171:8080
2012/06/05 15:13:53:625 WEST [DEBUG] RequestAddCookies - CookieSpec 
selected: best-match
2012/06/05 15:13:53:643 WEST [DEBUG] RequestAuthCache - Auth cache not 
set in the context
2012/06/05 15:13:53:644 WEST [DEBUG] RequestTargetAuthentication - 
Target auth state: UNCHALLENGED
2012/06/05 15:13:53:644 WEST [DEBUG] RequestProxyAuthentication - Proxy 
auth state: UNCHALLENGED
2012/06/05 15:13:53:644 WEST [DEBUG] DefaultHttpClient - Attempt 1 to 
execute request
2012/06/05 15:13:53:645 WEST [DEBUG] DefaultClientConnection - Sending 
request: GET /services/files/ HTTP/1.1
2012/06/05 15:13:53:646 WEST [DEBUG] headers - >> GET /services/files/ 
HTTP/1.1
2012/06/05 15:13:53:646 WEST [DEBUG] headers - >> Host: 172.27.192.171:8080
2012/06/05 15:13:53:646 WEST [DEBUG] headers - >> Connection: Keep-Alive
2012/06/05 15:13:53:646 WEST [DEBUG] headers - >> User-Agent: 
Apache-HttpClient/4.2 (java 1.5)
2012/06/05 15:13:53:653 WEST [DEBUG] DefaultClientConnection - Receiving 
response: HTTP/1.1 401 Unauthorized
2012/06/05 15:13:53:653 WEST [DEBUG] headers - << HTTP/1.1 401 Unauthorized
2012/06/05 15:13:53:653 WEST [DEBUG] headers - << Server: Apache-Coyote/1.1
2012/06/05 15:13:53:654 WEST [DEBUG] headers - << X-Powered-By: 
Servlet/3.0; JBossAS-6
2012/06/05 15:13:53:654 WEST [DEBUG] headers - << WWW-Authenticate: 
Negotiate
2012/06/05 15:13:53:654 WEST [DEBUG] headers - << Connection: keep-alive
2012/06/05 15:13:53:654 WEST [DEBUG] headers - << Content-Type: 
text/html;charset=utf-8
2012/06/05 15:13:53:654 WEST [DEBUG] headers - << Content-Length: 952
2012/06/05 15:13:53:654 WEST [DEBUG] headers - << Date: Tue, 05 Jun 2012 
14:14:50 GMT
2012/06/05 15:13:53:660 WEST [DEBUG] DefaultHttpClient - Connection can 
be kept alive indefinitely
2012/06/05 15:13:53:660 WEST [DEBUG] DefaultHttpClient - 
172.27.192.171:8080 requested authentication
2012/06/05 15:13:53:661 WEST [DEBUG] TargetAuthenticationStrategy - 
Authentication schemes in the order of preference: [negotiate, Kerberos, 
NTLM, Digest, Basic]
2012/06/05 15:13:53:675 WEST [DEBUG] SPNegoScheme - Received challenge 
'' from the auth server
2012/06/05 15:13:53:676 WEST [DEBUG] TargetAuthenticationStrategy - 
Challenge for Kerberos authentication scheme not available
2012/06/05 15:13:53:676 WEST [DEBUG] TargetAuthenticationStrategy - 
Challenge for NTLM authentication scheme not available
2012/06/05 15:13:53:677 WEST [DEBUG] TargetAuthenticationStrategy - 
Challenge for Digest authentication scheme not available
2012/06/05 15:13:53:677 WEST [DEBUG] TargetAuthenticationStrategy - 
Challenge for Basic authentication scheme not available
2012/06/05 15:13:53:677 WEST [DEBUG] DefaultHttpClient - Selected 
authentication options: [NEGOTIATE]
2012/06/05 15:13:53:678 WEST [DEBUG] RequestAddCookies - CookieSpec 
selected: best-match
2012/06/05 15:13:53:678 WEST [DEBUG] RequestAuthCache - Auth cache not 
set in the context
2012/06/05 15:13:53:678 WEST [DEBUG] RequestTargetAuthentication - 
Target auth state: CHALLENGED
2012/06/05 15:13:53:678 WEST [DEBUG] RequestTargetAuthentication - 
Generating response to an authentication challenge using Negotiate scheme
2012/06/05 15:13:53:679 WEST [DEBUG] SPNegoScheme - init 172.27.192.171:8080
2012/06/05 15:13:53:750 WEST [WARN] RequestTargetAuthentication - 
NEGOTIATE authentication error: No valid credentials provided (Mechanism 
level: No valid credentials provided (Mechanism level: Failed to find 
any Kerberos tgt))
2012/06/05 15:13:53:750 WEST [DEBUG] RequestProxyAuthentication - Proxy 
auth state: UNCHALLENGED
2012/06/05 15:13:53:750 WEST [DEBUG] DefaultHttpClient - Attempt 2 to 
execute request
2012/06/05 15:13:53:750 WEST [DEBUG] DefaultClientConnection - Sending 
request: GET /services/files/ HTTP/1.1
2012/06/05 15:13:53:751 WEST [DEBUG] headers - >> GET /services/files/ 
HTTP/1.1
2012/06/05 15:13:53:751 WEST [DEBUG] headers - >> Host: 172.27.192.171:8080
2012/06/05 15:13:53:751 WEST [DEBUG] headers - >> Connection: Keep-Alive
2012/06/05 15:13:53:751 WEST [DEBUG] headers - >> User-Agent: 
Apache-HttpClient/4.2 (java 1.5)
2012/06/05 15:13:53:776 WEST [DEBUG] DefaultClientConnection - Receiving 
response: HTTP/1.1 401 Unauthorized
----------------------------------------
HTTP/1.1 401 Unauthorized
2012/06/05 15:13:53:776 WEST [DEBUG] headers - << HTTP/1.1 401 Unauthorized
Response content length: 952
2012/06/05 15:13:53:776 WEST [DEBUG] headers - << Server: Apache-Coyote/1.1
2012/06/05 15:13:53:776 WEST [DEBUG] headers - << X-Powered-By: 
Servlet/3.0; JBossAS-6
2012/06/05 15:13:53:776 WEST [DEBUG] headers - << WWW-Authenticate: 
Negotiate
2012/06/05 15:13:53:777 WEST [DEBUG] headers - << Connection: keep-alive
2012/06/05 15:13:53:777 WEST [DEBUG] headers - << Content-Type: 
text/html;charset=utf-8
2012/06/05 15:13:53:777 WEST [DEBUG] headers - << Content-Length: 952
2012/06/05 15:13:53:777 WEST [DEBUG] headers - << Date: Tue, 05 Jun 2012 
14:14:50 GMT
2012/06/05 15:13:53:777 WEST [DEBUG] DefaultHttpClient - Connection can 
be kept alive indefinitely
2012/06/05 15:13:53:777 WEST [DEBUG] DefaultHttpClient - 
172.27.192.171:8080 requested authentication
2012/06/05 15:13:53:778 WEST [DEBUG] DefaultHttpClient - Authorization 
challenge processed
2012/06/05 15:13:53:778 WEST [DEBUG] SPNegoScheme - Received challenge 
'' from the auth server
2012/06/05 15:13:53:778 WEST [DEBUG] SPNegoScheme - Authentication 
already attempted
2012/06/05 15:13:53:780 WEST [DEBUG] DefaultHttpClient - Authentication 
failed
2012/06/05 15:13:53:783 WEST [DEBUG] BasicClientConnectionManager - 
Releasing connection 
org.apache.http.impl.conn.ManagedClientConnectionImpl@7f565474
2012/06/05 15:13:53:783 WEST [DEBUG] BasicClientConnectionManager - 
Connection can be kept alive indefinitely
2012/06/05 15:13:53:783 WEST [DEBUG] DefaultClientConnection - 
Connection 0.0.0.0:43639<->172.27.192.171:8080 closed

Kind regards,
Pedro Saraiva

Em 05-06-2012 15:00, Oleg Kalnichevski escreveu:
On Tue, 2012-06-05 at 11:52 +0100, Pedro Saraiva wrote:
Hello,

I have a site protected with SPNEGO. The authentication can be performed
with both Kerberos and NTLMv2.

I'm trying to use HttpClient 4.2 to authenticate against this site
through NTLMv2 but without success so far. Here's my sample code:

          HttpHost targetHost = new HttpHost("172.27.192.171", 8080, "http");

          DefaultHttpClient httpclient = new DefaultHttpClient();

          try {
              httpclient.getCredentialsProvider().setCredentials(
                      new AuthScope(targetHost.getHostName(),
targetHost.getPort()),
                      new NTCredentials("psaraiva", "psaraiva",
InetAddress.getLocalHost().getHostName(), "DEV"));
                      //new UsernamePasswordCredentials("psaraiva",
"psaraiva" ));

              // Create AuthCache instance
              AuthCache authCache = new BasicAuthCache();
              // Generate BASIC scheme object and add it to the local
              // auth cache
              BasicScheme basicAuth = new BasicScheme();
              authCache.put(targetHost, basicAuth);

              // Add AuthCache to the execution context
              BasicHttpContext localcontext = new BasicHttpContext();
              localcontext.setAttribute(ClientContext.AUTH_CACHE, authCache);

              HttpGet httpget = new HttpGet("/services/files/");

              System.out.println("executing request: " +
httpget.getRequestLine());
              System.out.println("to target: " + targetHost);

              HttpResponse response = httpclient.execute(targetHost,
httpget);//, localcontext);
              HttpEntity entity = response.getEntity();


System.out.println("----------------------------------------");
               System.out.println(response.getStatusLine());
                if (entity != null) {
                    System.out.println("Response content length: " +
entity.getContentLength());
                }
                EntityUtils.consume(entity);

          } finally {
              // When HttpClient instance is no longer needed,
              // shut down the connection manager to ensure
              // immediate deallocation of all system resources
              httpclient.getConnectionManager().shutdown();
          }

HttpClient seems to only try the Kerberos authentication and outputs the
following warning:
WARN [main] (RequestAuthenticationBase.java:88) - NEGOTIATE
authentication error: No valid credentials provided (Mechanism level: No
valid credentials provided (Mechanism level: Failed to find any Kerberos
tgt))

However, I want it to force it to use NTLMv2. From the HttpClient NTLM
auth page it states that NTLMv2 is supported since version 4.1.

Does HttpClient 4.2 support NTLMv2 over SPNEGO? Or it's my bad
configuration that's causing it not to use NTLMv2?

Kind regards,

Pedro Saraiva

Hi Pedro

Generally SPNEGO takes precedence over NTLM per default but HttpClient
4.2 should have automatically attempted to authenticate with NTLM after
SPNEGO failure.

Could you please post a complete wire log of the HTTP session?

http://hc.apache.org/httpcomponents-client-ga/logging.html

Oleg



---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org
For additional commands, e-mail: httpclient-users-h...@hc.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org
For additional commands, e-mail: httpclient-users-h...@hc.apache.org