First, please do not top post!
Am 2015-05-20 um 13:50 schrieb Gerben:
Thank you for your response. I have no control over the server, unfortunately.
The test tool I used only succesfully connected using NTLM and not
Kerberos. That's why I think the server only supports NTLM.
So what I want is SPNEGO to negotiate NTLM, but that is not supported
apparently. I didn't know that.
I suspect that is the reason for the '"KrbException: Cannot locate
default realm" warning.
That is actually an error your in Kerberos configuration.
Is support for NTLMv2 as SPNEGO sub-mechanism planned in future
versions? Or is there another java library that can do it?
There is nothing planned and never will for the following reasons:
1) NTLM (even v2) is outdated and deprecated by Microsoft
2) It is proprietary
3) Oracle will not add a GSS-API mechanism for that into the JDK/JRE due
to the points above
4) We have no control over Oracle/IBM/$JVM_VENDOR or its JGSS implementation
If you still think, you want to use NTLM with SPNEGO, here are you options:
1) Write a JGSS mechanism plugin and hook it into JGSS
2) Use SSPI through JNA if you on Windows but this is absolutely not
portable
My serious advise is:
Contact you customer, tell that that their Kerberos setup is broken. It
is either a DNS problem or a missing SPN in the AD. Both can be fixed
within 5 minutes.
Otherwise, you are out of luck.
Michael
2015-05-20 12:18 GMT+02:00 Michael Osipov <1983-01...@gmx.net>:
Hi,
One of our customers is using a webservice we need to get data from.
So far, we've been unsuccesful in doing that because of authentication
errors. We can't seem to get past the NEGOTIATE phase of
authentication using 4.4.1 of httpclient. We've also tried older
versions of httpclient, the JCIFS library and a lot of variants of the
script below, but it all had the same result. I'm not sure what we're
doing wrong. The log shows a warning:
2015/05/20 09:10:08:867 CEST [WARN] HttpAuthenticator - NEGOTIATE
authentication error: Invalid name provided (Mechanism level:
KrbException: Cannot locate default realm)
We can't seem get to rid of this warning. The webservice works fine
when connecting to it using chrome webbrowser or a software tool
called 'kerberos authentication tester'. We used 'kerberos
authentication tester' to determine that the server is using NTLMv2
authentication. Information about the server from the testtool are
also found below.
Hi,
some stuff isn't straight. Let me get it:
1. Kerberos is not NTLM and vice versa
2. You are mixing both
3. You cannot test a service with Kerberos which does not accept those tokens
You have configured HttpClient to use NTLM. The server advertises Negotiate,
HttpClient tries SPNEGO, you receive "KrbException: Cannot locate default
realm".
From this, everything is correct.
Figure out what you want?! SPNEGO to negotiate Kerberos or NTLM or just pure
NTLM?
If you want to perform NTLM only, configure your server to advertise:
WWW-Autenticate: NTLM
JGSS does *not* support NTLM as SPNEGO sub-mechanism, so HttpClient never will.
If you want to perform Kerberos autentication via SPNEGO, fix your
krb5.conf/ini.
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org
For additional commands, e-mail: httpclient-users-h...@hc.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org
For additional commands, e-mail: httpclient-users-h...@hc.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org
For additional commands, e-mail: httpclient-users-h...@hc.apache.org
