On Tue, 2012-06-05 at 15:19 +0100, Pedro Saraiva wrote:
> Hi Oleg,
>
> Here's the session log from the code I posted earlier:
>
> executing request: GET /services/files/ HTTP/1.1
> to target: http://172.27.192.171:8080
> 2012/06/05 15:13:53:580 WEST [DEBUG] BasicClientConnectionManager - Get
> connection for route {}->http://172.27.192.171:8080
> 2012/06/05 15:13:53:604 WEST [DEBUG] DefaultClientConnectionOperator -
> Connecting to 172.27.192.171:8080
> 2012/06/05 15:13:53:625 WEST [DEBUG] RequestAddCookies - CookieSpec
> selected: best-match
> 2012/06/05 15:13:53:643 WEST [DEBUG] RequestAuthCache - Auth cache not
> set in the context
> 2012/06/05 15:13:53:644 WEST [DEBUG] RequestTargetAuthentication -
> Target auth state: UNCHALLENGED
> 2012/06/05 15:13:53:644 WEST [DEBUG] RequestProxyAuthentication - Proxy
> auth state: UNCHALLENGED
> 2012/06/05 15:13:53:644 WEST [DEBUG] DefaultHttpClient - Attempt 1 to
> execute request
> 2012/06/05 15:13:53:645 WEST [DEBUG] DefaultClientConnection - Sending
> request: GET /services/files/ HTTP/1.1
> 2012/06/05 15:13:53:646 WEST [DEBUG] headers - >> GET /services/files/
> HTTP/1.1
> 2012/06/05 15:13:53:646 WEST [DEBUG] headers - >> Host: 172.27.192.171:8080
> 2012/06/05 15:13:53:646 WEST [DEBUG] headers - >> Connection: Keep-Alive
> 2012/06/05 15:13:53:646 WEST [DEBUG] headers - >> User-Agent:
> Apache-HttpClient/4.2 (java 1.5)
> 2012/06/05 15:13:53:653 WEST [DEBUG] DefaultClientConnection - Receiving
> response: HTTP/1.1 401 Unauthorized
> 2012/06/05 15:13:53:653 WEST [DEBUG] headers - << HTTP/1.1 401 Unauthorized
> 2012/06/05 15:13:53:653 WEST [DEBUG] headers - << Server: Apache-Coyote/1.1
> 2012/06/05 15:13:53:654 WEST [DEBUG] headers - << X-Powered-By:
> Servlet/3.0; JBossAS-6
> 2012/06/05 15:13:53:654 WEST [DEBUG] headers - << WWW-Authenticate:
> Negotiate
Well, as you can see the server has been configured to support SPNEGO
only. NTLM is not include in the authentication challenge as a supported
option.
Oleg
> 2012/06/05 15:13:53:654 WEST [DEBUG] headers - << Connection: keep-alive
> 2012/06/05 15:13:53:654 WEST [DEBUG] headers - << Content-Type:
> text/html;charset=utf-8
> 2012/06/05 15:13:53:654 WEST [DEBUG] headers - << Content-Length: 952
> 2012/06/05 15:13:53:654 WEST [DEBUG] headers - << Date: Tue, 05 Jun 2012
> 14:14:50 GMT
> 2012/06/05 15:13:53:660 WEST [DEBUG] DefaultHttpClient - Connection can
> be kept alive indefinitely
> 2012/06/05 15:13:53:660 WEST [DEBUG] DefaultHttpClient -
> 172.27.192.171:8080 requested authentication
> 2012/06/05 15:13:53:661 WEST [DEBUG] TargetAuthenticationStrategy -
> Authentication schemes in the order of preference: [negotiate, Kerberos,
> NTLM, Digest, Basic]
> 2012/06/05 15:13:53:675 WEST [DEBUG] SPNegoScheme - Received challenge
> '' from the auth server
> 2012/06/05 15:13:53:676 WEST [DEBUG] TargetAuthenticationStrategy -
> Challenge for Kerberos authentication scheme not available
> 2012/06/05 15:13:53:676 WEST [DEBUG] TargetAuthenticationStrategy -
> Challenge for NTLM authentication scheme not available
> 2012/06/05 15:13:53:677 WEST [DEBUG] TargetAuthenticationStrategy -
> Challenge for Digest authentication scheme not available
> 2012/06/05 15:13:53:677 WEST [DEBUG] TargetAuthenticationStrategy -
> Challenge for Basic authentication scheme not available
> 2012/06/05 15:13:53:677 WEST [DEBUG] DefaultHttpClient - Selected
> authentication options: [NEGOTIATE]
> 2012/06/05 15:13:53:678 WEST [DEBUG] RequestAddCookies - CookieSpec
> selected: best-match
> 2012/06/05 15:13:53:678 WEST [DEBUG] RequestAuthCache - Auth cache not
> set in the context
> 2012/06/05 15:13:53:678 WEST [DEBUG] RequestTargetAuthentication -
> Target auth state: CHALLENGED
> 2012/06/05 15:13:53:678 WEST [DEBUG] RequestTargetAuthentication -
> Generating response to an authentication challenge using Negotiate scheme
> 2012/06/05 15:13:53:679 WEST [DEBUG] SPNegoScheme - init 172.27.192.171:8080
> 2012/06/05 15:13:53:750 WEST [WARN] RequestTargetAuthentication -
> NEGOTIATE authentication error: No valid credentials provided (Mechanism
> level: No valid credentials provided (Mechanism level: Failed to find
> any Kerberos tgt))
> 2012/06/05 15:13:53:750 WEST [DEBUG] RequestProxyAuthentication - Proxy
> auth state: UNCHALLENGED
> 2012/06/05 15:13:53:750 WEST [DEBUG] DefaultHttpClient - Attempt 2 to
> execute request
> 2012/06/05 15:13:53:750 WEST [DEBUG] DefaultClientConnection - Sending
> request: GET /services/files/ HTTP/1.1
> 2012/06/05 15:13:53:751 WEST [DEBUG] headers - >> GET /services/files/
> HTTP/1.1
> 2012/06/05 15:13:53:751 WEST [DEBUG] headers - >> Host: 172.27.192.171:8080
> 2012/06/05 15:13:53:751 WEST [DEBUG] headers - >> Connection: Keep-Alive
> 2012/06/05 15:13:53:751 WEST [DEBUG] headers - >> User-Agent:
> Apache-HttpClient/4.2 (java 1.5)
> 2012/06/05 15:13:53:776 WEST [DEBUG] DefaultClientConnection - Receiving
> response: HTTP/1.1 401 Unauthorized
> ----------------------------------------
> HTTP/1.1 401 Unauthorized
> 2012/06/05 15:13:53:776 WEST [DEBUG] headers - << HTTP/1.1 401 Unauthorized
> Response content length: 952
> 2012/06/05 15:13:53:776 WEST [DEBUG] headers - << Server: Apache-Coyote/1.1
> 2012/06/05 15:13:53:776 WEST [DEBUG] headers - << X-Powered-By:
> Servlet/3.0; JBossAS-6
> 2012/06/05 15:13:53:776 WEST [DEBUG] headers - << WWW-Authenticate:
> Negotiate
> 2012/06/05 15:13:53:777 WEST [DEBUG] headers - << Connection: keep-alive
> 2012/06/05 15:13:53:777 WEST [DEBUG] headers - << Content-Type:
> text/html;charset=utf-8
> 2012/06/05 15:13:53:777 WEST [DEBUG] headers - << Content-Length: 952
> 2012/06/05 15:13:53:777 WEST [DEBUG] headers - << Date: Tue, 05 Jun 2012
> 14:14:50 GMT
> 2012/06/05 15:13:53:777 WEST [DEBUG] DefaultHttpClient - Connection can
> be kept alive indefinitely
> 2012/06/05 15:13:53:777 WEST [DEBUG] DefaultHttpClient -
> 172.27.192.171:8080 requested authentication
> 2012/06/05 15:13:53:778 WEST [DEBUG] DefaultHttpClient - Authorization
> challenge processed
> 2012/06/05 15:13:53:778 WEST [DEBUG] SPNegoScheme - Received challenge
> '' from the auth server
> 2012/06/05 15:13:53:778 WEST [DEBUG] SPNegoScheme - Authentication
> already attempted
> 2012/06/05 15:13:53:780 WEST [DEBUG] DefaultHttpClient - Authentication
> failed
> 2012/06/05 15:13:53:783 WEST [DEBUG] BasicClientConnectionManager -
> Releasing connection
> org.apache.http.impl.conn.ManagedClientConnectionImpl@7f565474
> 2012/06/05 15:13:53:783 WEST [DEBUG] BasicClientConnectionManager -
> Connection can be kept alive indefinitely
> 2012/06/05 15:13:53:783 WEST [DEBUG] DefaultClientConnection -
> Connection 0.0.0.0:43639<->172.27.192.171:8080 closed
>
> Kind regards,
> Pedro Saraiva
>
> Em 05-06-2012 15:00, Oleg Kalnichevski escreveu:
> > On Tue, 2012-06-05 at 11:52 +0100, Pedro Saraiva wrote:
> >> Hello,
> >>
> >> I have a site protected with SPNEGO. The authentication can be performed
> >> with both Kerberos and NTLMv2.
> >>
> >> I'm trying to use HttpClient 4.2 to authenticate against this site
> >> through NTLMv2 but without success so far. Here's my sample code:
> >>
> >> HttpHost targetHost = new HttpHost("172.27.192.171", 8080,
> >> "http");
> >>
> >> DefaultHttpClient httpclient = new DefaultHttpClient();
> >>
> >> try {
> >> httpclient.getCredentialsProvider().setCredentials(
> >> new AuthScope(targetHost.getHostName(),
> >> targetHost.getPort()),
> >> new NTCredentials("psaraiva", "psaraiva",
> >> InetAddress.getLocalHost().getHostName(), "DEV"));
> >> //new UsernamePasswordCredentials("psaraiva",
> >> "psaraiva" ));
> >>
> >> // Create AuthCache instance
> >> AuthCache authCache = new BasicAuthCache();
> >> // Generate BASIC scheme object and add it to the local
> >> // auth cache
> >> BasicScheme basicAuth = new BasicScheme();
> >> authCache.put(targetHost, basicAuth);
> >>
> >> // Add AuthCache to the execution context
> >> BasicHttpContext localcontext = new BasicHttpContext();
> >> localcontext.setAttribute(ClientContext.AUTH_CACHE,
> >> authCache);
> >>
> >> HttpGet httpget = new HttpGet("/services/files/");
> >>
> >> System.out.println("executing request: " +
> >> httpget.getRequestLine());
> >> System.out.println("to target: " + targetHost);
> >>
> >> HttpResponse response = httpclient.execute(targetHost,
> >> httpget);//, localcontext);
> >> HttpEntity entity = response.getEntity();
> >>
> >>
> >> System.out.println("----------------------------------------");
> >> System.out.println(response.getStatusLine());
> >> if (entity != null) {
> >> System.out.println("Response content length: " +
> >> entity.getContentLength());
> >> }
> >> EntityUtils.consume(entity);
> >>
> >> } finally {
> >> // When HttpClient instance is no longer needed,
> >> // shut down the connection manager to ensure
> >> // immediate deallocation of all system resources
> >> httpclient.getConnectionManager().shutdown();
> >> }
> >>
> >> HttpClient seems to only try the Kerberos authentication and outputs the
> >> following warning:
> >> WARN [main] (RequestAuthenticationBase.java:88) - NEGOTIATE
> >> authentication error: No valid credentials provided (Mechanism level: No
> >> valid credentials provided (Mechanism level: Failed to find any Kerberos
> >> tgt))
> >>
> >> However, I want it to force it to use NTLMv2. From the HttpClient NTLM
> >> auth page it states that NTLMv2 is supported since version 4.1.
> >>
> >> Does HttpClient 4.2 support NTLMv2 over SPNEGO? Or it's my bad
> >> configuration that's causing it not to use NTLMv2?
> >>
> >> Kind regards,
> >>
> >> Pedro Saraiva
> >>
> > Hi Pedro
> >
> > Generally SPNEGO takes precedence over NTLM per default but HttpClient
> > 4.2 should have automatically attempted to authenticate with NTLM after
> > SPNEGO failure.
> >
> > Could you please post a complete wire log of the HTTP session?
> >
> > http://hc.apache.org/httpcomponents-client-ga/logging.html
> >
> > Oleg
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [email protected]
> > For additional commands, e-mail: [email protected]
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
