NTLMv2 connection

["Godbey, David J. (HQ-LM020)[DIGITAL MANAGEMENT INC.]" <da...@nasa.gov>]

When I login to my Exchange server via http-client for the first time, I get the following string out of the http-client to the server log. Subsequent connections does not get the below warning. All transactions are working properly. 

My sysops production person has asked if this warning can be suppressed since we think we understand it, and it is not really a problem.

My guess is that in the NTLMv2 negotiation, the Exchange server first requests a Kerberos ticket. If the ticket is unavailable, the server requests credentials, and this warning is issued by http-client. Do I have this right?

Is there a way to suppress this warning?

2013/01/18 13:32:58:412 CST [WARN] RequestTargetAuthentication - NEGOTIATE authentication error: No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt))

RE: NTLMv2 connection

["Godbey, David J. (HQ-LM020)[DIGITAL MANAGEMENT INC.]" <da...@nasa.gov>]

I think we want to support SPNego auth scheme. Isn't not having to go through the NTLMv2 handshake mechanism over and over again good for performance? It looks to me like the Kerberos ticket for the Exchange Web Service expires after 2 or 3 minutes. However, I could be sharing info with the EWS server a dozen or more times over that period. Perhaps I don't quite understand how these two mechanisms interact, and I appreciate any insight you can provide. 

-----Original Message-----
From: Oleg Kalnichevski [mailto:olegk@apache.org] 
Sent: Friday, January 18, 2013 5:50 PM
To: HttpClient User Discussion
Subject: Re: NTLMv2 connection

On Fri, 2013-01-18 at 13:43 -0600, Godbey, David J. (HQ-LM020)[DIGITAL MANAGEMENT INC.] wrote:
> When I login to my Exchange server via http-client for the first time, I get the following string out of the http-client to the server log. Subsequent connections does not get the below warning. All transactions are working properly. 
> 
> My sysops production person has asked if this warning can be suppressed since we think we understand it, and it is not really a problem.
> 
> My guess is that in the NTLMv2 negotiation, the Exchange server first requests a Kerberos ticket. If the ticket is unavailable, the server requests credentials, and this warning is issued by http-client. Do I have this right?
> 
> Is there a way to suppress this warning?
> 
> 2013/01/18 13:32:58:412 CST [WARN] RequestTargetAuthentication - 
> NEGOTIATE authentication error: No valid credentials provided 
> (Mechanism level: No valid credentials provided (Mechanism level: 
> Failed to find any Kerberos tgt))
> 
> 

There are two things you could do:

(1) Configure the
'org.apache.http.client.protocol.RequestTargetAuthentication' logger to log at ERROR priority only.

(2) Disable the SPNego auth scheme altogether by removing it from the registry of supported auth schemes.

Oleg



---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org

Re: NTLMv2 connection

[Oleg Kalnichevski <ol...@apache.org>]

On Fri, 2013-01-18 at 13:43 -0600, Godbey, David J. (HQ-LM020)[DIGITAL
MANAGEMENT INC.] wrote:
> When I login to my Exchange server via http-client for the first time, I get the following string out of the http-client to the server log. Subsequent connections does not get the below warning. All transactions are working properly. 
> 
> My sysops production person has asked if this warning can be suppressed since we think we understand it, and it is not really a problem.
> 
> My guess is that in the NTLMv2 negotiation, the Exchange server first requests a Kerberos ticket. If the ticket is unavailable, the server requests credentials, and this warning is issued by http-client. Do I have this right?
> 
> Is there a way to suppress this warning?
> 
> 2013/01/18 13:32:58:412 CST [WARN] RequestTargetAuthentication - NEGOTIATE authentication error: No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt))
> 
> 

There are two things you could do:

(1) Configure the
'org.apache.http.client.protocol.RequestTargetAuthentication' logger to
log at ERROR priority only.

(2) Disable the SPNego auth scheme altogether by removing it from the
registry of supported auth schemes.

Oleg



---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org