On Tue, 2012-06-05 at 16:03 +0100, Pedro Saraiva wrote:
> Hi,
>
> The server sends only Negotiate, but the negotiable sub-mechanisms
> include Kerberos and NTLMv2 (not NTLM). I think that's why it's called
> Negotiate: the server and the client can agree uppon a supported
> mechanism by both.
> In attachment goes a screenshot of wireshark that shows the packets sent
> during a session between a browser and the server.
> As you can see the server sends a Unauthorized with only
> WWW-Authenticate: Negotiate. Then the browser starts the negotiation
> with the server using NTLMv2.
>
> Kind regards,
>
> Pedro Saraiva
>
Pedro
HttpClient is not a browser and is not supposed to do any guessing. The
server is clearly misbehaving by not including NTLM in the challenge
while still accepting NTLM as a valid authentication scheme.
There are several ways you can force HttpClient to use NTLM instead of
or in addition to SPNEGO.
(1) by forcing NTLM auth scheme to be used in response to SPNEGO
challenge
---
DefaultHttpClient httpclient = new DefaultHttpClient();
httpclient.getAuthSchemes().register(AuthPolicy.SPNEGO,
new NTLMSchemeFactory());
---
(2) by rewriting the auth challenge header
---
DefaultHttpClient httpclient = new DefaultHttpClient();
httpclient.addResponseInterceptor(new HttpResponseInterceptor() {
public void process(
HttpResponse response,
HttpContext context) throws HttpException, IOException {
if (response.getStatusLine().getStatusCode() == 401) {
Header ua = response.getFirstHeader("X-Powered-By");
if (ua != null && ua.getValue()
.equalsIgnoreCase("Servlet/3.0; JBossAS-6")) {
Header challenge = response.getFirstHeader(
AUTH.WWW_AUTH);
if (challenge != null && challenge.getValue()
.equalsIgnoreCase("Negotiate")) {
response.setHeader(AUTH.WWW_AUTH,
"Negotiate, NTLM");
}
}
}
}
});
---
Hope this helps
Oleg
> Em 05-06-2012 15:31, Oleg Kalnichevski escreveu:
> > On Tue, 2012-06-05 at 15:19 +0100, Pedro Saraiva wrote:
> >> Hi Oleg,
> >>
> >> Here's the session log from the code I posted earlier:
> >>
> >> executing request: GET /services/files/ HTTP/1.1
> >> to target: http://172.27.192.171:8080
> >> 2012/06/05 15:13:53:580 WEST [DEBUG] BasicClientConnectionManager - Get
> >> connection for route {}->http://172.27.192.171:8080
> >> 2012/06/05 15:13:53:604 WEST [DEBUG] DefaultClientConnectionOperator -
> >> Connecting to 172.27.192.171:8080
> >> 2012/06/05 15:13:53:625 WEST [DEBUG] RequestAddCookies - CookieSpec
> >> selected: best-match
> >> 2012/06/05 15:13:53:643 WEST [DEBUG] RequestAuthCache - Auth cache not
> >> set in the context
> >> 2012/06/05 15:13:53:644 WEST [DEBUG] RequestTargetAuthentication -
> >> Target auth state: UNCHALLENGED
> >> 2012/06/05 15:13:53:644 WEST [DEBUG] RequestProxyAuthentication - Proxy
> >> auth state: UNCHALLENGED
> >> 2012/06/05 15:13:53:644 WEST [DEBUG] DefaultHttpClient - Attempt 1 to
> >> execute request
> >> 2012/06/05 15:13:53:645 WEST [DEBUG] DefaultClientConnection - Sending
> >> request: GET /services/files/ HTTP/1.1
> >> 2012/06/05 15:13:53:646 WEST [DEBUG] headers ->> GET /services/files/
> >> HTTP/1.1
> >> 2012/06/05 15:13:53:646 WEST [DEBUG] headers ->> Host: 172.27.192.171:8080
> >> 2012/06/05 15:13:53:646 WEST [DEBUG] headers ->> Connection: Keep-Alive
> >> 2012/06/05 15:13:53:646 WEST [DEBUG] headers ->> User-Agent:
> >> Apache-HttpClient/4.2 (java 1.5)
> >> 2012/06/05 15:13:53:653 WEST [DEBUG] DefaultClientConnection - Receiving
> >> response: HTTP/1.1 401 Unauthorized
> >> 2012/06/05 15:13:53:653 WEST [DEBUG] headers -<< HTTP/1.1 401 Unauthorized
> >> 2012/06/05 15:13:53:653 WEST [DEBUG] headers -<< Server: Apache-Coyote/1.1
> >> 2012/06/05 15:13:53:654 WEST [DEBUG] headers -<< X-Powered-By:
> >> Servlet/3.0; JBossAS-6
> >> 2012/06/05 15:13:53:654 WEST [DEBUG] headers -<< WWW-Authenticate:
> >> Negotiate
> > Well, as you can see the server has been configured to support SPNEGO
> > only. NTLM is not include in the authentication challenge as a supported
> > option.
> >
> > Oleg
> >
> >> 2012/06/05 15:13:53:654 WEST [DEBUG] headers -<< Connection: keep-alive
> >> 2012/06/05 15:13:53:654 WEST [DEBUG] headers -<< Content-Type:
> >> text/html;charset=utf-8
> >> 2012/06/05 15:13:53:654 WEST [DEBUG] headers -<< Content-Length: 952
> >> 2012/06/05 15:13:53:654 WEST [DEBUG] headers -<< Date: Tue, 05 Jun 2012
> >> 14:14:50 GMT
> >> 2012/06/05 15:13:53:660 WEST [DEBUG] DefaultHttpClient - Connection can
> >> be kept alive indefinitely
> >> 2012/06/05 15:13:53:660 WEST [DEBUG] DefaultHttpClient -
> >> 172.27.192.171:8080 requested authentication
> >> 2012/06/05 15:13:53:661 WEST [DEBUG] TargetAuthenticationStrategy -
> >> Authentication schemes in the order of preference: [negotiate, Kerberos,
> >> NTLM, Digest, Basic]
> >> 2012/06/05 15:13:53:675 WEST [DEBUG] SPNegoScheme - Received challenge
> >> '' from the auth server
> >> 2012/06/05 15:13:53:676 WEST [DEBUG] TargetAuthenticationStrategy -
> >> Challenge for Kerberos authentication scheme not available
> >> 2012/06/05 15:13:53:676 WEST [DEBUG] TargetAuthenticationStrategy -
> >> Challenge for NTLM authentication scheme not available
> >> 2012/06/05 15:13:53:677 WEST [DEBUG] TargetAuthenticationStrategy -
> >> Challenge for Digest authentication scheme not available
> >> 2012/06/05 15:13:53:677 WEST [DEBUG] TargetAuthenticationStrategy -
> >> Challenge for Basic authentication scheme not available
> >> 2012/06/05 15:13:53:677 WEST [DEBUG] DefaultHttpClient - Selected
> >> authentication options: [NEGOTIATE]
> >> 2012/06/05 15:13:53:678 WEST [DEBUG] RequestAddCookies - CookieSpec
> >> selected: best-match
> >> 2012/06/05 15:13:53:678 WEST [DEBUG] RequestAuthCache - Auth cache not
> >> set in the context
> >> 2012/06/05 15:13:53:678 WEST [DEBUG] RequestTargetAuthentication -
> >> Target auth state: CHALLENGED
> >> 2012/06/05 15:13:53:678 WEST [DEBUG] RequestTargetAuthentication -
> >> Generating response to an authentication challenge using Negotiate scheme
> >> 2012/06/05 15:13:53:679 WEST [DEBUG] SPNegoScheme - init
> >> 172.27.192.171:8080
> >> 2012/06/05 15:13:53:750 WEST [WARN] RequestTargetAuthentication -
> >> NEGOTIATE authentication error: No valid credentials provided (Mechanism
> >> level: No valid credentials provided (Mechanism level: Failed to find
> >> any Kerberos tgt))
> >> 2012/06/05 15:13:53:750 WEST [DEBUG] RequestProxyAuthentication - Proxy
> >> auth state: UNCHALLENGED
> >> 2012/06/05 15:13:53:750 WEST [DEBUG] DefaultHttpClient - Attempt 2 to
> >> execute request
> >> 2012/06/05 15:13:53:750 WEST [DEBUG] DefaultClientConnection - Sending
> >> request: GET /services/files/ HTTP/1.1
> >> 2012/06/05 15:13:53:751 WEST [DEBUG] headers ->> GET /services/files/
> >> HTTP/1.1
> >> 2012/06/05 15:13:53:751 WEST [DEBUG] headers ->> Host: 172.27.192.171:8080
> >> 2012/06/05 15:13:53:751 WEST [DEBUG] headers ->> Connection: Keep-Alive
> >> 2012/06/05 15:13:53:751 WEST [DEBUG] headers ->> User-Agent:
> >> Apache-HttpClient/4.2 (java 1.5)
> >> 2012/06/05 15:13:53:776 WEST [DEBUG] DefaultClientConnection - Receiving
> >> response: HTTP/1.1 401 Unauthorized
> >> ----------------------------------------
> >> HTTP/1.1 401 Unauthorized
> >> 2012/06/05 15:13:53:776 WEST [DEBUG] headers -<< HTTP/1.1 401 Unauthorized
> >> Response content length: 952
> >> 2012/06/05 15:13:53:776 WEST [DEBUG] headers -<< Server: Apache-Coyote/1.1
> >> 2012/06/05 15:13:53:776 WEST [DEBUG] headers -<< X-Powered-By:
> >> Servlet/3.0; JBossAS-6
> >> 2012/06/05 15:13:53:776 WEST [DEBUG] headers -<< WWW-Authenticate:
> >> Negotiate
> >> 2012/06/05 15:13:53:777 WEST [DEBUG] headers -<< Connection: keep-alive
> >> 2012/06/05 15:13:53:777 WEST [DEBUG] headers -<< Content-Type:
> >> text/html;charset=utf-8
> >> 2012/06/05 15:13:53:777 WEST [DEBUG] headers -<< Content-Length: 952
> >> 2012/06/05 15:13:53:777 WEST [DEBUG] headers -<< Date: Tue, 05 Jun 2012
> >> 14:14:50 GMT
> >> 2012/06/05 15:13:53:777 WEST [DEBUG] DefaultHttpClient - Connection can
> >> be kept alive indefinitely
> >> 2012/06/05 15:13:53:777 WEST [DEBUG] DefaultHttpClient -
> >> 172.27.192.171:8080 requested authentication
> >> 2012/06/05 15:13:53:778 WEST [DEBUG] DefaultHttpClient - Authorization
> >> challenge processed
> >> 2012/06/05 15:13:53:778 WEST [DEBUG] SPNegoScheme - Received challenge
> >> '' from the auth server
> >> 2012/06/05 15:13:53:778 WEST [DEBUG] SPNegoScheme - Authentication
> >> already attempted
> >> 2012/06/05 15:13:53:780 WEST [DEBUG] DefaultHttpClient - Authentication
> >> failed
> >> 2012/06/05 15:13:53:783 WEST [DEBUG] BasicClientConnectionManager -
> >> Releasing connection
> >> org.apache.http.impl.conn.ManagedClientConnectionImpl@7f565474
> >> 2012/06/05 15:13:53:783 WEST [DEBUG] BasicClientConnectionManager -
> >> Connection can be kept alive indefinitely
> >> 2012/06/05 15:13:53:783 WEST [DEBUG] DefaultClientConnection -
> >> Connection 0.0.0.0:43639<->172.27.192.171:8080 closed
> >>
> >> Kind regards,
> >> Pedro Saraiva
> >>
> >> Em 05-06-2012 15:00, Oleg Kalnichevski escreveu:
> >>> On Tue, 2012-06-05 at 11:52 +0100, Pedro Saraiva wrote:
> >>>> Hello,
> >>>>
> >>>> I have a site protected with SPNEGO. The authentication can be performed
> >>>> with both Kerberos and NTLMv2.
> >>>>
> >>>> I'm trying to use HttpClient 4.2 to authenticate against this site
> >>>> through NTLMv2 but without success so far. Here's my sample code:
> >>>>
> >>>> HttpHost targetHost = new HttpHost("172.27.192.171", 8080,
> >>>> "http");
> >>>>
> >>>> DefaultHttpClient httpclient = new DefaultHttpClient();
> >>>>
> >>>> try {
> >>>> httpclient.getCredentialsProvider().setCredentials(
> >>>> new AuthScope(targetHost.getHostName(),
> >>>> targetHost.getPort()),
> >>>> new NTCredentials("psaraiva", "psaraiva",
> >>>> InetAddress.getLocalHost().getHostName(), "DEV"));
> >>>> //new UsernamePasswordCredentials("psaraiva",
> >>>> "psaraiva" ));
> >>>>
> >>>> // Create AuthCache instance
> >>>> AuthCache authCache = new BasicAuthCache();
> >>>> // Generate BASIC scheme object and add it to the local
> >>>> // auth cache
> >>>> BasicScheme basicAuth = new BasicScheme();
> >>>> authCache.put(targetHost, basicAuth);
> >>>>
> >>>> // Add AuthCache to the execution context
> >>>> BasicHttpContext localcontext = new BasicHttpContext();
> >>>> localcontext.setAttribute(ClientContext.AUTH_CACHE,
> >>>> authCache);
> >>>>
> >>>> HttpGet httpget = new HttpGet("/services/files/");
> >>>>
> >>>> System.out.println("executing request: " +
> >>>> httpget.getRequestLine());
> >>>> System.out.println("to target: " + targetHost);
> >>>>
> >>>> HttpResponse response = httpclient.execute(targetHost,
> >>>> httpget);//, localcontext);
> >>>> HttpEntity entity = response.getEntity();
> >>>>
> >>>>
> >>>> System.out.println("----------------------------------------");
> >>>> System.out.println(response.getStatusLine());
> >>>> if (entity != null) {
> >>>> System.out.println("Response content length: " +
> >>>> entity.getContentLength());
> >>>> }
> >>>> EntityUtils.consume(entity);
> >>>>
> >>>> } finally {
> >>>> // When HttpClient instance is no longer needed,
> >>>> // shut down the connection manager to ensure
> >>>> // immediate deallocation of all system resources
> >>>> httpclient.getConnectionManager().shutdown();
> >>>> }
> >>>>
> >>>> HttpClient seems to only try the Kerberos authentication and outputs the
> >>>> following warning:
> >>>> WARN [main] (RequestAuthenticationBase.java:88) - NEGOTIATE
> >>>> authentication error: No valid credentials provided (Mechanism level: No
> >>>> valid credentials provided (Mechanism level: Failed to find any Kerberos
> >>>> tgt))
> >>>>
> >>>> However, I want it to force it to use NTLMv2. From the HttpClient NTLM
> >>>> auth page it states that NTLMv2 is supported since version 4.1.
> >>>>
> >>>> Does HttpClient 4.2 support NTLMv2 over SPNEGO? Or it's my bad
> >>>> configuration that's causing it not to use NTLMv2?
> >>>>
> >>>> Kind regards,
> >>>>
> >>>> Pedro Saraiva
> >>>>
> >>> Hi Pedro
> >>>
> >>> Generally SPNEGO takes precedence over NTLM per default but HttpClient
> >>> 4.2 should have automatically attempted to authenticate with NTLM after
> >>> SPNEGO failure.
> >>>
> >>> Could you please post a complete wire log of the HTTP session?
> >>>
> >>> http://hc.apache.org/httpcomponents-client-ga/logging.html
> >>>
> >>> Oleg
> >>>
> >>>
> >>>
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: [email protected]
> >>> For additional commands, e-mail: [email protected]
> >>>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: [email protected]
> >> For additional commands, e-mail: [email protected]
> >>
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [email protected]
> > For additional commands, e-mail: [email protected]
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
