Thank you for your response. I have no control over the server, unfortunately.
The test tool I used only succesfully connected using NTLM and not Kerberos. That's why I think the server only supports NTLM. So what I want is SPNEGO to negotiate NTLM, but that is not supported apparently. I didn't know that. I suspect that is the reason for the '"KrbException: Cannot locate default realm" warning. Is support for NTLMv2 as SPNEGO sub-mechanism planned in future versions? Or is there another java library that can do it? 2015-05-20 12:18 GMT+02:00 Michael Osipov <1983-01...@gmx.net>: >> Hi, >> >> One of our customers is using a webservice we need to get data from. >> So far, we've been unsuccesful in doing that because of authentication >> errors. We can't seem to get past the NEGOTIATE phase of >> authentication using 4.4.1 of httpclient. We've also tried older >> versions of httpclient, the JCIFS library and a lot of variants of the >> script below, but it all had the same result. I'm not sure what we're >> doing wrong. The log shows a warning: >> 2015/05/20 09:10:08:867 CEST [WARN] HttpAuthenticator - NEGOTIATE >> authentication error: Invalid name provided (Mechanism level: >> KrbException: Cannot locate default realm) >> >> We can't seem get to rid of this warning. The webservice works fine >> when connecting to it using chrome webbrowser or a software tool >> called 'kerberos authentication tester'. We used 'kerberos >> authentication tester' to determine that the server is using NTLMv2 >> authentication. Information about the server from the testtool are >> also found below. >> > > Hi, > > some stuff isn't straight. Let me get it: > > 1. Kerberos is not NTLM and vice versa > 2. You are mixing both > 3. You cannot test a service with Kerberos which does not accept those tokens > > You have configured HttpClient to use NTLM. The server advertises Negotiate, > HttpClient tries SPNEGO, you receive "KrbException: Cannot locate default > realm". > > From this, everything is correct. > > Figure out what you want?! SPNEGO to negotiate Kerberos or NTLM or just pure > NTLM? > > If you want to perform NTLM only, configure your server to advertise: > WWW-Autenticate: NTLM > > JGSS does *not* support NTLM as SPNEGO sub-mechanism, so HttpClient never > will. > If you want to perform Kerberos autentication via SPNEGO, fix your > krb5.conf/ini. > > Michael > > --------------------------------------------------------------------- > To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org > For additional commands, e-mail: httpclient-users-h...@hc.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org
