Hi,
The server sends only Negotiate, but the negotiable sub-mechanisms
include Kerberos and NTLMv2 (not NTLM). I think that's why it's called
Negotiate: the server and the client can agree uppon a supported
mechanism by both.
In attachment goes a screenshot of wireshark that shows the packets sent
during a session between a browser and the server.
As you can see the server sends a Unauthorized with only
WWW-Authenticate: Negotiate. Then the browser starts the negotiation
with the server using NTLMv2.
Kind regards,
Pedro Saraiva
Em 05-06-2012 15:31, Oleg Kalnichevski escreveu:
On Tue, 2012-06-05 at 15:19 +0100, Pedro Saraiva wrote:
Hi Oleg,
Here's the session log from the code I posted earlier:
executing request: GET /services/files/ HTTP/1.1
to target: http://172.27.192.171:8080
2012/06/05 15:13:53:580 WEST [DEBUG] BasicClientConnectionManager - Get
connection for route {}->http://172.27.192.171:8080
2012/06/05 15:13:53:604 WEST [DEBUG] DefaultClientConnectionOperator -
Connecting to 172.27.192.171:8080
2012/06/05 15:13:53:625 WEST [DEBUG] RequestAddCookies - CookieSpec
selected: best-match
2012/06/05 15:13:53:643 WEST [DEBUG] RequestAuthCache - Auth cache not
set in the context
2012/06/05 15:13:53:644 WEST [DEBUG] RequestTargetAuthentication -
Target auth state: UNCHALLENGED
2012/06/05 15:13:53:644 WEST [DEBUG] RequestProxyAuthentication - Proxy
auth state: UNCHALLENGED
2012/06/05 15:13:53:644 WEST [DEBUG] DefaultHttpClient - Attempt 1 to
execute request
2012/06/05 15:13:53:645 WEST [DEBUG] DefaultClientConnection - Sending
request: GET /services/files/ HTTP/1.1
2012/06/05 15:13:53:646 WEST [DEBUG] headers ->> GET /services/files/
HTTP/1.1
2012/06/05 15:13:53:646 WEST [DEBUG] headers ->> Host: 172.27.192.171:8080
2012/06/05 15:13:53:646 WEST [DEBUG] headers ->> Connection: Keep-Alive
2012/06/05 15:13:53:646 WEST [DEBUG] headers ->> User-Agent:
Apache-HttpClient/4.2 (java 1.5)
2012/06/05 15:13:53:653 WEST [DEBUG] DefaultClientConnection - Receiving
response: HTTP/1.1 401 Unauthorized
2012/06/05 15:13:53:653 WEST [DEBUG] headers -<< HTTP/1.1 401 Unauthorized
2012/06/05 15:13:53:653 WEST [DEBUG] headers -<< Server: Apache-Coyote/1.1
2012/06/05 15:13:53:654 WEST [DEBUG] headers -<< X-Powered-By:
Servlet/3.0; JBossAS-6
2012/06/05 15:13:53:654 WEST [DEBUG] headers -<< WWW-Authenticate:
Negotiate
Well, as you can see the server has been configured to support SPNEGO
only. NTLM is not include in the authentication challenge as a supported
option.
Oleg
2012/06/05 15:13:53:654 WEST [DEBUG] headers -<< Connection: keep-alive
2012/06/05 15:13:53:654 WEST [DEBUG] headers -<< Content-Type:
text/html;charset=utf-8
2012/06/05 15:13:53:654 WEST [DEBUG] headers -<< Content-Length: 952
2012/06/05 15:13:53:654 WEST [DEBUG] headers -<< Date: Tue, 05 Jun 2012
14:14:50 GMT
2012/06/05 15:13:53:660 WEST [DEBUG] DefaultHttpClient - Connection can
be kept alive indefinitely
2012/06/05 15:13:53:660 WEST [DEBUG] DefaultHttpClient -
172.27.192.171:8080 requested authentication
2012/06/05 15:13:53:661 WEST [DEBUG] TargetAuthenticationStrategy -
Authentication schemes in the order of preference: [negotiate, Kerberos,
NTLM, Digest, Basic]
2012/06/05 15:13:53:675 WEST [DEBUG] SPNegoScheme - Received challenge
'' from the auth server
2012/06/05 15:13:53:676 WEST [DEBUG] TargetAuthenticationStrategy -
Challenge for Kerberos authentication scheme not available
2012/06/05 15:13:53:676 WEST [DEBUG] TargetAuthenticationStrategy -
Challenge for NTLM authentication scheme not available
2012/06/05 15:13:53:677 WEST [DEBUG] TargetAuthenticationStrategy -
Challenge for Digest authentication scheme not available
2012/06/05 15:13:53:677 WEST [DEBUG] TargetAuthenticationStrategy -
Challenge for Basic authentication scheme not available
2012/06/05 15:13:53:677 WEST [DEBUG] DefaultHttpClient - Selected
authentication options: [NEGOTIATE]
2012/06/05 15:13:53:678 WEST [DEBUG] RequestAddCookies - CookieSpec
selected: best-match
2012/06/05 15:13:53:678 WEST [DEBUG] RequestAuthCache - Auth cache not
set in the context
2012/06/05 15:13:53:678 WEST [DEBUG] RequestTargetAuthentication -
Target auth state: CHALLENGED
2012/06/05 15:13:53:678 WEST [DEBUG] RequestTargetAuthentication -
Generating response to an authentication challenge using Negotiate scheme
2012/06/05 15:13:53:679 WEST [DEBUG] SPNegoScheme - init 172.27.192.171:8080
2012/06/05 15:13:53:750 WEST [WARN] RequestTargetAuthentication -
NEGOTIATE authentication error: No valid credentials provided (Mechanism
level: No valid credentials provided (Mechanism level: Failed to find
any Kerberos tgt))
2012/06/05 15:13:53:750 WEST [DEBUG] RequestProxyAuthentication - Proxy
auth state: UNCHALLENGED
2012/06/05 15:13:53:750 WEST [DEBUG] DefaultHttpClient - Attempt 2 to
execute request
2012/06/05 15:13:53:750 WEST [DEBUG] DefaultClientConnection - Sending
request: GET /services/files/ HTTP/1.1
2012/06/05 15:13:53:751 WEST [DEBUG] headers ->> GET /services/files/
HTTP/1.1
2012/06/05 15:13:53:751 WEST [DEBUG] headers ->> Host: 172.27.192.171:8080
2012/06/05 15:13:53:751 WEST [DEBUG] headers ->> Connection: Keep-Alive
2012/06/05 15:13:53:751 WEST [DEBUG] headers ->> User-Agent:
Apache-HttpClient/4.2 (java 1.5)
2012/06/05 15:13:53:776 WEST [DEBUG] DefaultClientConnection - Receiving
response: HTTP/1.1 401 Unauthorized
----------------------------------------
HTTP/1.1 401 Unauthorized
2012/06/05 15:13:53:776 WEST [DEBUG] headers -<< HTTP/1.1 401 Unauthorized
Response content length: 952
2012/06/05 15:13:53:776 WEST [DEBUG] headers -<< Server: Apache-Coyote/1.1
2012/06/05 15:13:53:776 WEST [DEBUG] headers -<< X-Powered-By:
Servlet/3.0; JBossAS-6
2012/06/05 15:13:53:776 WEST [DEBUG] headers -<< WWW-Authenticate:
Negotiate
2012/06/05 15:13:53:777 WEST [DEBUG] headers -<< Connection: keep-alive
2012/06/05 15:13:53:777 WEST [DEBUG] headers -<< Content-Type:
text/html;charset=utf-8
2012/06/05 15:13:53:777 WEST [DEBUG] headers -<< Content-Length: 952
2012/06/05 15:13:53:777 WEST [DEBUG] headers -<< Date: Tue, 05 Jun 2012
14:14:50 GMT
2012/06/05 15:13:53:777 WEST [DEBUG] DefaultHttpClient - Connection can
be kept alive indefinitely
2012/06/05 15:13:53:777 WEST [DEBUG] DefaultHttpClient -
172.27.192.171:8080 requested authentication
2012/06/05 15:13:53:778 WEST [DEBUG] DefaultHttpClient - Authorization
challenge processed
2012/06/05 15:13:53:778 WEST [DEBUG] SPNegoScheme - Received challenge
'' from the auth server
2012/06/05 15:13:53:778 WEST [DEBUG] SPNegoScheme - Authentication
already attempted
2012/06/05 15:13:53:780 WEST [DEBUG] DefaultHttpClient - Authentication
failed
2012/06/05 15:13:53:783 WEST [DEBUG] BasicClientConnectionManager -
Releasing connection
org.apache.http.impl.conn.ManagedClientConnectionImpl@7f565474
2012/06/05 15:13:53:783 WEST [DEBUG] BasicClientConnectionManager -
Connection can be kept alive indefinitely
2012/06/05 15:13:53:783 WEST [DEBUG] DefaultClientConnection -
Connection 0.0.0.0:43639<->172.27.192.171:8080 closed
Kind regards,
Pedro Saraiva
Em 05-06-2012 15:00, Oleg Kalnichevski escreveu:
On Tue, 2012-06-05 at 11:52 +0100, Pedro Saraiva wrote:
Hello,
I have a site protected with SPNEGO. The authentication can be performed
with both Kerberos and NTLMv2.
I'm trying to use HttpClient 4.2 to authenticate against this site
through NTLMv2 but without success so far. Here's my sample code:
HttpHost targetHost = new HttpHost("172.27.192.171", 8080, "http");
DefaultHttpClient httpclient = new DefaultHttpClient();
try {
httpclient.getCredentialsProvider().setCredentials(
new AuthScope(targetHost.getHostName(),
targetHost.getPort()),
new NTCredentials("psaraiva", "psaraiva",
InetAddress.getLocalHost().getHostName(), "DEV"));
//new UsernamePasswordCredentials("psaraiva",
"psaraiva" ));
// Create AuthCache instance
AuthCache authCache = new BasicAuthCache();
// Generate BASIC scheme object and add it to the local
// auth cache
BasicScheme basicAuth = new BasicScheme();
authCache.put(targetHost, basicAuth);
// Add AuthCache to the execution context
BasicHttpContext localcontext = new BasicHttpContext();
localcontext.setAttribute(ClientContext.AUTH_CACHE, authCache);
HttpGet httpget = new HttpGet("/services/files/");
System.out.println("executing request: " +
httpget.getRequestLine());
System.out.println("to target: " + targetHost);
HttpResponse response = httpclient.execute(targetHost,
httpget);//, localcontext);
HttpEntity entity = response.getEntity();
System.out.println("----------------------------------------");
System.out.println(response.getStatusLine());
if (entity != null) {
System.out.println("Response content length: " +
entity.getContentLength());
}
EntityUtils.consume(entity);
} finally {
// When HttpClient instance is no longer needed,
// shut down the connection manager to ensure
// immediate deallocation of all system resources
httpclient.getConnectionManager().shutdown();
}
HttpClient seems to only try the Kerberos authentication and outputs the
following warning:
WARN [main] (RequestAuthenticationBase.java:88) - NEGOTIATE
authentication error: No valid credentials provided (Mechanism level: No
valid credentials provided (Mechanism level: Failed to find any Kerberos
tgt))
However, I want it to force it to use NTLMv2. From the HttpClient NTLM
auth page it states that NTLMv2 is supported since version 4.1.
Does HttpClient 4.2 support NTLMv2 over SPNEGO? Or it's my bad
configuration that's causing it not to use NTLMv2?
Kind regards,
Pedro Saraiva
Hi Pedro
Generally SPNEGO takes precedence over NTLM per default but HttpClient
4.2 should have automatically attempted to authenticate with NTLM after
SPNEGO failure.
Could you please post a complete wire log of the HTTP session?
http://hc.apache.org/httpcomponents-client-ga/logging.html
Oleg
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
