Hi, One of our customers is using a webservice we need to get data from. So far, we've been unsuccesful in doing that because of authentication errors. We can't seem to get past the NEGOTIATE phase of authentication using 4.4.1 of httpclient. We've also tried older versions of httpclient, the JCIFS library and a lot of variants of the script below, but it all had the same result. I'm not sure what we're doing wrong. The log shows a warning: 2015/05/20 09:10:08:867 CEST [WARN] HttpAuthenticator - NEGOTIATE authentication error: Invalid name provided (Mechanism level: KrbException: Cannot locate default realm)
We can't seem get to rid of this warning. The webservice works fine when connecting to it using chrome webbrowser or a software tool called 'kerberos authentication tester'. We used 'kerberos authentication tester' to determine that the server is using NTLMv2 authentication. Information about the server from the testtool are also found below. Hopefully you guys can help. Here is the current setup and the output for this script: //maven configuration ---------- <dependency> <groupId>org.apache.httpcomponents</groupId> <artifactId>httpclient</artifactId> <version>4.4.1</version> </dependency> //code -------------- String password = "xxx"; String host = "xxx.yyy.zz"; String domain = "YYY"; String endpoint = "https://xxx.yyy.zzz/NAV71Test/WS/Rotterdam/Page/EmployeeWS";; String user = "eric"; CredentialsProvider credsProvider = new BasicCredentialsProvider(); credsProvider.setCredentials( new AuthScope(host, 443), new NTCredentials(user, password, "", domain)) ; CloseableHttpClient httpclient = HttpClients.custom() .setDefaultCredentialsProvider(credsProvider) .build(); try { HttpGet httpget = new HttpGet(endpoint); System.out.println("Executing request " + httpget.getRequestLine()); CloseableHttpResponse response = httpclient.execute(httpget); try { System.out.println("----------------------------------------"); System.out.println(response.getStatusLine()); EntityUtils.consume(response.getEntity()); } finally { response.close(); } } finally { httpclient.close(); } //code output -------------------- Executing request GET https://xxx.yyy.zz/NAV71Test/WS/Rotterdam/Page/EmployeeWS HTTP/1.1 2015/05/20 09:10:03:868 CEST [DEBUG] RequestAddCookies - CookieSpec selected: default 2015/05/20 09:10:03:882 CEST [DEBUG] RequestAuthCache - Auth cache not set in the context 2015/05/20 09:10:03:883 CEST [DEBUG] PoolingHttpClientConnectionManager - Connection request: [route: {s}->https://xxx.yyy.zz:443][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20] 2015/05/20 09:10:03:896 CEST [DEBUG] PoolingHttpClientConnectionManager - Connection leased: [id: 0][route: {s}->https://xxx.yyy.zz:443][total kept alive: 0; route allocated: 1 of 2; total allocated: 1 of 20] 2015/05/20 09:10:03:897 CEST [DEBUG] MainClientExec - Opening connection {s}->https://xxx.yyy.zz:443 2015/05/20 09:10:03:903 CEST [DEBUG] DefaultHttpClientConnectionOperator - Connecting to xxx.yyy.zz/999.999.999.999:443 2015/05/20 09:10:03:903 CEST [DEBUG] SSLConnectionSocketFactory - Connecting socket to xxx.yyy.zz/999.999.999.999:443 with timeout 0 2015/05/20 09:10:04:058 CEST [DEBUG] SSLConnectionSocketFactory - Enabled protocols: [TLSv1, TLSv1.1, TLSv1.2] 2015/05/20 09:10:04:058 CEST [DEBUG] SSLConnectionSocketFactory - Enabled cipher suites:[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] 2015/05/20 09:10:04:058 CEST [DEBUG] SSLConnectionSocketFactory - Starting handshake 2015/05/20 09:10:04:262 CEST [DEBUG] SSLConnectionSocketFactory - Secure session established 2015/05/20 09:10:04:262 CEST [DEBUG] SSLConnectionSocketFactory - negotiated protocol: TLSv1.2 2015/05/20 09:10:04:262 CEST [DEBUG] SSLConnectionSocketFactory - negotiated cipher suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 2015/05/20 09:10:04:263 CEST [DEBUG] SSLConnectionSocketFactory - peer principal: CN=*.utica.nl, OU=PositiveSSL Wildcard, OU=Domain Control Validated 2015/05/20 09:10:04:263 CEST [DEBUG] SSLConnectionSocketFactory - peer alternative names: [*.utica.nl, utica.nl] 2015/05/20 09:10:04:263 CEST [DEBUG] SSLConnectionSocketFactory - issuer principal: CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB 2015/05/20 09:10:04:265 CEST [DEBUG] DefaultHttpClientConnectionOperator - Connection established 192.168.1.111:53562<->999.999.999.999:443 2015/05/20 09:10:04:265 CEST [DEBUG] MainClientExec - Executing request GET /NAV71Test/WS/Rotterdam/Page/EmployeeWS HTTP/1.1 2015/05/20 09:10:04:265 CEST [DEBUG] MainClientExec - Target auth state: UNCHALLENGED 2015/05/20 09:10:04:265 CEST [DEBUG] MainClientExec - Proxy auth state: UNCHALLENGED 2015/05/20 09:10:04:267 CEST [DEBUG] headers - http-outgoing-0 >> GET /NAV71Test/WS/Rotterdam/Page/EmployeeWS HTTP/1.1 2015/05/20 09:10:04:267 CEST [DEBUG] headers - http-outgoing-0 >> Host: xxx.yyy.zz 2015/05/20 09:10:04:267 CEST [DEBUG] headers - http-outgoing-0 >> Connection: Keep-Alive 2015/05/20 09:10:04:267 CEST [DEBUG] headers - http-outgoing-0 >> User-Agent: Apache-HttpClient/4.4.1 (Java/1.8.0_25) 2015/05/20 09:10:04:267 CEST [DEBUG] headers - http-outgoing-0 >> Accept-Encoding: gzip,deflate 2015/05/20 09:10:04:267 CEST [DEBUG] wire - http-outgoing-0 >> "GET /NAV71Test/WS/Rotterdam/Page/EmployeeWS HTTP/1.1[\r][\n]" 2015/05/20 09:10:04:267 CEST [DEBUG] wire - http-outgoing-0 >> "Host: xxx.yyy.zz[\r][\n]" 2015/05/20 09:10:04:267 CEST [DEBUG] wire - http-outgoing-0 >> "Connection: Keep-Alive[\r][\n]" 2015/05/20 09:10:04:267 CEST [DEBUG] wire - http-outgoing-0 >> "User-Agent: Apache-HttpClient/4.4.1 (Java/1.8.0_25)[\r][\n]" 2015/05/20 09:10:04:267 CEST [DEBUG] wire - http-outgoing-0 >> "Accept-Encoding: gzip,deflate[\r][\n]" 2015/05/20 09:10:04:267 CEST [DEBUG] wire - http-outgoing-0 >> "[\r][\n]" 2015/05/20 09:10:04:327 CEST [DEBUG] wire - http-outgoing-0 << "HTTP/1.1 401 Unauthorized[\r][\n]" 2015/05/20 09:10:04:327 CEST [DEBUG] wire - http-outgoing-0 << "Content-Length: 0[\r][\n]" 2015/05/20 09:10:04:327 CEST [DEBUG] wire - http-outgoing-0 << "Server: Microsoft-HTTPAPI/2.0[\r][\n]" 2015/05/20 09:10:04:327 CEST [DEBUG] wire - http-outgoing-0 << "WWW-Authenticate: Negotiate[\r][\n]" 2015/05/20 09:10:04:327 CEST [DEBUG] wire - http-outgoing-0 << "Date: Wed, 20 May 2015 07:10:06 GMT[\r][\n]" 2015/05/20 09:10:04:327 CEST [DEBUG] wire - http-outgoing-0 << "[\r][\n]" 2015/05/20 09:10:04:329 CEST [DEBUG] headers - http-outgoing-0 << HTTP/1.1 401 Unauthorized 2015/05/20 09:10:04:330 CEST [DEBUG] headers - http-outgoing-0 << Content-Length: 0 2015/05/20 09:10:04:330 CEST [DEBUG] headers - http-outgoing-0 << Server: Microsoft-HTTPAPI/2.0 2015/05/20 09:10:04:330 CEST [DEBUG] headers - http-outgoing-0 << WWW-Authenticate: Negotiate 2015/05/20 09:10:04:330 CEST [DEBUG] headers - http-outgoing-0 << Date: Wed, 20 May 2015 07:10:06 GMT 2015/05/20 09:10:04:333 CEST [DEBUG] MainClientExec - Connection can be kept alive indefinitely 2015/05/20 09:10:04:333 CEST [DEBUG] HttpAuthenticator - Authentication required 2015/05/20 09:10:04:333 CEST [DEBUG] HttpAuthenticator - xxx.yyy.zz:443 requested authentication 2015/05/20 09:10:04:333 CEST [DEBUG] TargetAuthenticationStrategy - Authentication schemes in the order of preference: [NTLM, Basic, Digest, Negotiate, Kerberos] 2015/05/20 09:10:04:333 CEST [DEBUG] TargetAuthenticationStrategy - Challenge for NTLM authentication scheme not available 2015/05/20 09:10:04:333 CEST [DEBUG] TargetAuthenticationStrategy - Challenge for Basic authentication scheme not available 2015/05/20 09:10:04:333 CEST [DEBUG] TargetAuthenticationStrategy - Challenge for Digest authentication scheme not available 2015/05/20 09:10:04:339 CEST [DEBUG] SPNegoScheme - Received challenge '' from the auth server 2015/05/20 09:10:04:340 CEST [DEBUG] TargetAuthenticationStrategy - Challenge for Kerberos authentication scheme not available 2015/05/20 09:10:04:340 CEST [DEBUG] HttpAuthenticator - Selected authentication options: [NEGOTIATE] 2015/05/20 09:10:04:341 CEST [DEBUG] MainClientExec - Executing request GET /NAV71Test/WS/Rotterdam/Page/EmployeeWS HTTP/1.1 2015/05/20 09:10:04:341 CEST [DEBUG] MainClientExec - Target auth state: CHALLENGED 2015/05/20 09:10:04:341 CEST [DEBUG] HttpAuthenticator - Generating response to an authentication challenge using Negotiate scheme 2015/05/20 09:10:08:843 CEST [DEBUG] SPNegoScheme - init xxx.yyy.zz 2015/05/20 09:10:08:867 CEST [WARN] HttpAuthenticator - NEGOTIATE authentication error: Invalid name provided (Mechanism level: KrbException: Cannot locate default realm) 2015/05/20 09:10:08:867 CEST [DEBUG] MainClientExec - Proxy auth state: UNCHALLENGED 2015/05/20 09:10:08:867 CEST [DEBUG] headers - http-outgoing-0 >> GET /NAV71Test/WS/Rotterdam/Page/EmployeeWS HTTP/1.1 2015/05/20 09:10:08:867 CEST [DEBUG] headers - http-outgoing-0 >> Host: xxx.yyy.zz 2015/05/20 09:10:08:867 CEST [DEBUG] headers - http-outgoing-0 >> Connection: Keep-Alive 2015/05/20 09:10:08:867 CEST [DEBUG] headers - http-outgoing-0 >> User-Agent: Apache-HttpClient/4.4.1 (Java/1.8.0_25) 2015/05/20 09:10:08:867 CEST [DEBUG] headers - http-outgoing-0 >> Accept-Encoding: gzip,deflate 2015/05/20 09:10:08:867 CEST [DEBUG] wire - http-outgoing-0 >> "GET /NAV71Test/WS/Rotterdam/Page/EmployeeWS HTTP/1.1[\r][\n]" 2015/05/20 09:10:08:868 CEST [DEBUG] wire - http-outgoing-0 >> "Host: xxx.yyy.zz[\r][\n]" 2015/05/20 09:10:08:868 CEST [DEBUG] wire - http-outgoing-0 >> "Connection: Keep-Alive[\r][\n]" 2015/05/20 09:10:08:868 CEST [DEBUG] wire - http-outgoing-0 >> "User-Agent: Apache-HttpClient/4.4.1 (Java/1.8.0_25)[\r][\n]" 2015/05/20 09:10:08:868 CEST [DEBUG] wire - http-outgoing-0 >> "Accept-Encoding: gzip,deflate[\r][\n]" 2015/05/20 09:10:08:868 CEST [DEBUG] wire - http-outgoing-0 >> "[\r][\n]" 2015/05/20 09:10:08:926 CEST [DEBUG] wire - http-outgoing-0 << "HTTP/1.1 401 Unauthorized[\r][\n]" 2015/05/20 09:10:08:926 CEST [DEBUG] wire - http-outgoing-0 << "Content-Length: 0[\r][\n]" 2015/05/20 09:10:08:926 CEST [DEBUG] wire - http-outgoing-0 << "Server: Microsoft-HTTPAPI/2.0[\r][\n]" 2015/05/20 09:10:08:927 CEST [DEBUG] wire - http-outgoing-0 << "WWW-Authenticate: Negotiate[\r][\n]" 2015/05/20 09:10:08:927 CEST [DEBUG] wire - http-outgoing-0 << "Date: Wed, 20 May 2015 07:10:11 GMT[\r][\n]" 2015/05/20 09:10:08:927 CEST [DEBUG] wire - http-outgoing-0 << "[\r][\n]" 2015/05/20 09:10:08:927 CEST [DEBUG] headers - http-outgoing-0 << HTTP/1.1 401 Unauthorized 2015/05/20 09:10:08:927 CEST [DEBUG] headers - http-outgoing-0 << Content-Length: 0 2015/05/20 09:10:08:927 CEST [DEBUG] headers - http-outgoing-0 << Server: Microsoft-HTTPAPI/2.0 2015/05/20 09:10:08:927 CEST [DEBUG] headers - http-outgoing-0 << WWW-Authenticate: Negotiate 2015/05/20 09:10:08:927 CEST [DEBUG] headers - http-outgoing-0 << Date: Wed, 20 May 2015 07:10:11 GMT 2015/05/20 09:10:08:927 CEST [DEBUG] MainClientExec - Connection can be kept alive indefinitely 2015/05/20 09:10:08:927 CEST [DEBUG] HttpAuthenticator - Authentication required 2015/05/20 09:10:08:927 CEST [DEBUG] HttpAuthenticator - xxx.yyy.zz:443 requested authentication 2015/05/20 09:10:08:927 CEST [DEBUG] HttpAuthenticator - Authorization challenge processed 2015/05/20 09:10:08:927 CEST [DEBUG] SPNegoScheme - Received challenge '' from the auth server 2015/05/20 09:10:08:927 CEST [DEBUG] SPNegoScheme - Authentication already attempted 2015/05/20 09:10:08:927 CEST [DEBUG] HttpAuthenticator - Authentication failed 2015/05/20 09:10:08:927 CEST [DEBUG] PoolingHttpClientConnectionManager - Connection [id: 0][route: {s}->https://xxx.yyy.zz:443] can be kept alive indefinitely 2015/05/20 09:10:08:928 CEST [DEBUG] PoolingHttpClientConnectionManager - Connection released: [id: 0][route: {s}->https://xxx.yyy.zz:443][total kept alive: 1; route allocated: 1 of 2; total allocated: 1 of 20] 2015/05/20 09:10:08:930 CEST [DEBUG] PoolingHttpClientConnectionManager - Connection manager is shutting down ---------------------------------------- HTTP/1.1 401 Unauthorized 2015/05/20 09:10:08:931 CEST [DEBUG] DefaultManagedHttpClientConnection - http-outgoing-0: Close connection 2015/05/20 09:10:08:931 CEST [DEBUG] DefaultManagedHttpClientConnection - http-outgoing-0: Close connection 2015/05/20 09:10:08:931 CEST [DEBUG] PoolingHttpClientConnectionManager - Connection manager shut down //information about the server from kerberos testing tool <?xml version="1.0" encoding="utf-8"?> <WebTestRequest xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:xsd="http://www.w3.org/2001/XMLSchema";> <Url>https://xxx.yyy.zz/NAV71Test/WS/Rotterdam/Page/EmployeeWS</Url> <HttpResult>200 OK</HttpResult> <RequestDate>2015-05-20T09:52:00.5913937+02:00</RequestDate> <AuthorizationType>Ntlm</AuthorizationType> <AuthorizationMessage xsi:type="NtlmAuthorizeMessage"> <Signature>NTLMSSP</Signature> <MessageType>3</MessageType> <LmChallengeResponse>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</LmChallengeResponse> <NtChallengeResponse xsi:type="NtlmV2Response"> <Version>2</Version> <Response>xZw/U0lhydNpj2LBvf9B7w==</Response> <NtlmV2ClientChallenge> <ResponseType>1</ResponseType> <HiResponseType>1</HiResponseType> <Reserved1>0</Reserved1> <Reserved2>0</Reserved2> <TimeStamp>2015-05-20T09:52:03.0366781+02:00</TimeStamp> <ChallengeFromClient>byASuoe60dw=</ChallengeFromClient> <Reserved3>0</Reserved3> <AvPairs> <MsvAvNbComputerName>XXX</MsvAvNbComputerName> <MsvAvNbDomainName>YYY</MsvAvNbDomainName> <MsvAvDnsComputerName>xxx.yyy.zz</MsvAvDnsComputerName> <MsvAvDnsDomainName>yyy.zz</MsvAvDnsDomainName> <MsvAvDnsTreeName>yyy.zz</MsvAvDnsTreeName> <MsvAvFlags>2</MsvAvFlags> <MsvAvTimestamp>2015-05-20T09:52:03.0366781+02:00</MsvAvTimestamp> <MsAvRestrictions> <Size>48</Size> <Z4>0</Z4> <IntegrityLevel>0</IntegrityLevel> <SubjectIntegrityLevel>12288</SubjectIntegrityLevel> <MachineID>t2hly4tgLfzWp3+JBk4nE+LmFrvQGE8BWRt4upGJsXE=</MachineID> </MsAvRestrictions> <MsvAvTargetName>HTTP/xxx.yyy.zz</MsvAvTargetName> <MsvChannelBindings>juzGnwjMucz8EPsx74f/FA==</MsvChannelBindings> </AvPairs> </NtlmV2ClientChallenge> </NtChallengeResponse> <DomainName>YYY</DomainName> <UserName>eric</UserName> <Workstation>USER-PC</Workstation> <EncryptedRandomSessionKey>YVxl6JYNFfAL+hHHgaqc2A==</EncryptedRandomSessionKey> <NegotiateFlags>NTLMSSP_NEGOTIATE_56 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_TARGET_INFO NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_SEAL NTLMSSP_NEGOTIATE_SIGN NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_UNICODE</NegotiateFlags> <Version> <ProductMajorVersion>6</ProductMajorVersion> <ProductMinorVersion>1</ProductMinorVersion> <ProductBuild>7601</ProductBuild> <NTLMRevisionCurrent>15</NTLMRevisionCurrent> </Version> <Mic>7WdH3+BcK0isN1fVvQHGzA==</Mic> </AuthorizationMessage> <RequestHeaders> <string>Authorization: Negotiate TlRMTVNTUAADAAAAGAAYAIwAAABAAUABpAAAAAoACgBYAAAAHAAcAGIAAAAOAA4AfgAAABAAEADkAQAANYKI4gYBsR0AAAAP7WdH3+BcK0isN1fVvQHGzFUAVABJAEMAQQBhAGMAYwBvAHUAbgB0AGEAbgB0AF8AdgBkAHAAVQBTAEUAUgAtAFAAQwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADFnD9TSWHJ02mPYsG9/0HvAQEAAAAAAAA9LP3b0ZLQAW8gErqHutHcAAAAAAIACgBVAFQASQBDAEEAAQAUAFYARABQAC0AUAAtAEEAUwAwADEABAAQAHUAdABpAGMAYQAuAG4AbAADACYAVgBEAFAALQBQAC0AQQBTADAAMQAuAHUAdABpAGMAYQAuAG4AbAAFABAAdQB0AGkAYwBhAC4AbgBsAAcACAA9LP3b0ZLQAQYABAACAAAACAAwADAAAAAAAAAAAAAAAAAwAAC3aGXLi2At/Nanf4kGTicT4uYWu9AYTwFZG3i6kYmxcQoAEACO7MafCMy5zPwQ+zHvh/8UCQAwAEgAVABUAFAALwB2AGQAcAAtAHAALQBhAHMAMAAxAC4AdQB0AGkAYwBhAC4AbgBsAAAAAAAAAAAAAAAAAGFcZeiWDRXwC/oRx4GqnNg=</string> <string>Host: xxx.yyy.zz</string> <string>Cache-Control: no-store,no-cache</string> <string>Pragma: no-cache</string> </RequestHeaders> <ResponseHeaders> <string>Content-Length: 10742</string> <string>Content-Type: text/xml; charset=utf-8</string> <string>Date: Wed, 20 May 2015 07:52:02 GMT</string> <string>Server: Microsoft-HTTPAPI/2.0</string> </ResponseHeaders> </WebTestRequest> --------------------------------------------------------------------- To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org
