You are viewing a plain text version of this content. The canonical link for it is here.
Posted to httpclient-users@hc.apache.org by Pedro Saraiva <ps...@maisis.pt> on 2012/06/05 12:52:17 UTC
SPNEGO and NTLMv2
Hello,
I have a site protected with SPNEGO. The authentication can be performed
with both Kerberos and NTLMv2.
I'm trying to use HttpClient 4.2 to authenticate against this site
through NTLMv2 but without success so far. Here's my sample code:
HttpHost targetHost = new HttpHost("172.27.192.171", 8080, "http");
DefaultHttpClient httpclient = new DefaultHttpClient();
try {
httpclient.getCredentialsProvider().setCredentials(
new AuthScope(targetHost.getHostName(),
targetHost.getPort()),
new NTCredentials("psaraiva", "psaraiva",
InetAddress.getLocalHost().getHostName(), "DEV"));
//new UsernamePasswordCredentials("psaraiva",
"psaraiva" ));
// Create AuthCache instance
AuthCache authCache = new BasicAuthCache();
// Generate BASIC scheme object and add it to the local
// auth cache
BasicScheme basicAuth = new BasicScheme();
authCache.put(targetHost, basicAuth);
// Add AuthCache to the execution context
BasicHttpContext localcontext = new BasicHttpContext();
localcontext.setAttribute(ClientContext.AUTH_CACHE, authCache);
HttpGet httpget = new HttpGet("/services/files/");
System.out.println("executing request: " +
httpget.getRequestLine());
System.out.println("to target: " + targetHost);
HttpResponse response = httpclient.execute(targetHost,
httpget);//, localcontext);
HttpEntity entity = response.getEntity();
System.out.println("----------------------------------------");
System.out.println(response.getStatusLine());
if (entity != null) {
System.out.println("Response content length: " +
entity.getContentLength());
}
EntityUtils.consume(entity);
} finally {
// When HttpClient instance is no longer needed,
// shut down the connection manager to ensure
// immediate deallocation of all system resources
httpclient.getConnectionManager().shutdown();
}
HttpClient seems to only try the Kerberos authentication and outputs the
following warning:
WARN [main] (RequestAuthenticationBase.java:88) - NEGOTIATE
authentication error: No valid credentials provided (Mechanism level: No
valid credentials provided (Mechanism level: Failed to find any Kerberos
tgt))
However, I want it to force it to use NTLMv2. From the HttpClient NTLM
auth page it states that NTLMv2 is supported since version 4.1.
Does HttpClient 4.2 support NTLMv2 over SPNEGO? Or it's my bad
configuration that's causing it not to use NTLMv2?
Kind regards,
Pedro Saraiva
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: SPNEGO and NTLMv2
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Wed, 2012-06-06 at 11:39 +0100, Pedro Saraiva wrote:
> Hello,
>
> I don't think the browser is guessing, it's how the SPNEGO from
> Microsoft works.
>
I admittedly know very little about SPNEGO protocol but I vaguely
remember reading about SPNEGO being capable of using different
negotiable auth engines to do the actual authentication handshaking.
Microsoft products are known to support Kerberos and NTLM as negotiable
options. HttpClient currently supports Kerberos only.
You would need to enable NTLMv2 as a separate authentication scheme on
the server side, not as one of negotiable options for SPNEGO.
Oleg
> Using the code you provided with a slight modification:
>
> public void process(
> HttpResponse response,
> HttpContext context) throws HttpException, IOException {
> if (response.getStatusLine().getStatusCode() == 401) {
> Header ua = response.getFirstHeader("X-Powered-By");
> if (ua != null&& ua.getValue()
> .equalsIgnoreCase("Servlet/3.0; JBossAS-6")) {
> Header challenge = response.getFirstHeader(
> AUTH.WWW_AUTH);
> if (challenge != null&& challenge.getValue()
> .equalsIgnoreCase("Negotiate")) {
> response.setHeader(AUTH.WWW_AUTH,
> "Negotiate");
> response.addHeader(AUTH.WWW_AUTH,
> "NTLM");
> }
> }
> }
> }
>
> The server outputs: Unsupported security package: NTLM. That's because
> it's configured to not support NTLMv1.
>
> Analysing the packets httpclient versus browser the difference seems to
> be in the authorization header:
> - HttpClient: Authorization: NTLM TlRMTVNT...
> - Browser: Authorization: Negotiate TlRMTVNT...
>
> Kind regards,
>
> Pedro Saraiva
>
> Em 05-06-2012 20:53, Oleg Kalnichevski escreveu:
> > On Tue, 2012-06-05 at 16:03 +0100, Pedro Saraiva wrote:
> >> Hi,
> >>
> >> The server sends only Negotiate, but the negotiable sub-mechanisms
> >> include Kerberos and NTLMv2 (not NTLM). I think that's why it's called
> >> Negotiate: the server and the client can agree uppon a supported
> >> mechanism by both.
> >> In attachment goes a screenshot of wireshark that shows the packets sent
> >> during a session between a browser and the server.
> >> As you can see the server sends a Unauthorized with only
> >> WWW-Authenticate: Negotiate. Then the browser starts the negotiation
> >> with the server using NTLMv2.
> >>
> >> Kind regards,
> >>
> >> Pedro Saraiva
> >>
> > Pedro
> >
> > HttpClient is not a browser and is not supposed to do any guessing. The
> > server is clearly misbehaving by not including NTLM in the challenge
> > while still accepting NTLM as a valid authentication scheme.
> >
> > There are several ways you can force HttpClient to use NTLM instead of
> > or in addition to SPNEGO.
> >
> > (1) by forcing NTLM auth scheme to be used in response to SPNEGO
> > challenge
> >
> > ---
> > DefaultHttpClient httpclient = new DefaultHttpClient();
> > httpclient.getAuthSchemes().register(AuthPolicy.SPNEGO,
> > new NTLMSchemeFactory());
> > ---
> >
> > (2) by rewriting the auth challenge header
> >
> > ---
> > DefaultHttpClient httpclient = new DefaultHttpClient();
> > httpclient.addResponseInterceptor(new HttpResponseInterceptor() {
> >
> > public void process(
> > HttpResponse response,
> > HttpContext context) throws HttpException, IOException {
> > if (response.getStatusLine().getStatusCode() == 401) {
> > Header ua = response.getFirstHeader("X-Powered-By");
> > if (ua != null&& ua.getValue()
> > .equalsIgnoreCase("Servlet/3.0; JBossAS-6")) {
> > Header challenge = response.getFirstHeader(
> > AUTH.WWW_AUTH);
> > if (challenge != null&& challenge.getValue()
> > .equalsIgnoreCase("Negotiate")) {
> > response.setHeader(AUTH.WWW_AUTH,
> > "Negotiate, NTLM");
> > }
> > }
> > }
> > }
> > });
> > ---
> >
> > Hope this helps
> >
> > Oleg
> >
> >> Em 05-06-2012 15:31, Oleg Kalnichevski escreveu:
> >>> On Tue, 2012-06-05 at 15:19 +0100, Pedro Saraiva wrote:
> >>>> Hi Oleg,
> >>>>
> >>>> Here's the session log from the code I posted earlier:
> >>>>
> >>>> executing request: GET /services/files/ HTTP/1.1
> >>>> to target: http://172.27.192.171:8080
> >>>> 2012/06/05 15:13:53:580 WEST [DEBUG] BasicClientConnectionManager - Get
> >>>> connection for route {}->http://172.27.192.171:8080
> >>>> 2012/06/05 15:13:53:604 WEST [DEBUG] DefaultClientConnectionOperator -
> >>>> Connecting to 172.27.192.171:8080
> >>>> 2012/06/05 15:13:53:625 WEST [DEBUG] RequestAddCookies - CookieSpec
> >>>> selected: best-match
> >>>> 2012/06/05 15:13:53:643 WEST [DEBUG] RequestAuthCache - Auth cache not
> >>>> set in the context
> >>>> 2012/06/05 15:13:53:644 WEST [DEBUG] RequestTargetAuthentication -
> >>>> Target auth state: UNCHALLENGED
> >>>> 2012/06/05 15:13:53:644 WEST [DEBUG] RequestProxyAuthentication - Proxy
> >>>> auth state: UNCHALLENGED
> >>>> 2012/06/05 15:13:53:644 WEST [DEBUG] DefaultHttpClient - Attempt 1 to
> >>>> execute request
> >>>> 2012/06/05 15:13:53:645 WEST [DEBUG] DefaultClientConnection - Sending
> >>>> request: GET /services/files/ HTTP/1.1
> >>>> 2012/06/05 15:13:53:646 WEST [DEBUG] headers ->> GET /services/files/
> >>>> HTTP/1.1
> >>>> 2012/06/05 15:13:53:646 WEST [DEBUG] headers ->> Host: 172.27.192.171:8080
> >>>> 2012/06/05 15:13:53:646 WEST [DEBUG] headers ->> Connection: Keep-Alive
> >>>> 2012/06/05 15:13:53:646 WEST [DEBUG] headers ->> User-Agent:
> >>>> Apache-HttpClient/4.2 (java 1.5)
> >>>> 2012/06/05 15:13:53:653 WEST [DEBUG] DefaultClientConnection - Receiving
> >>>> response: HTTP/1.1 401 Unauthorized
> >>>> 2012/06/05 15:13:53:653 WEST [DEBUG] headers -<< HTTP/1.1 401 Unauthorized
> >>>> 2012/06/05 15:13:53:653 WEST [DEBUG] headers -<< Server: Apache-Coyote/1.1
> >>>> 2012/06/05 15:13:53:654 WEST [DEBUG] headers -<< X-Powered-By:
> >>>> Servlet/3.0; JBossAS-6
> >>>> 2012/06/05 15:13:53:654 WEST [DEBUG] headers -<< WWW-Authenticate:
> >>>> Negotiate
> >>> Well, as you can see the server has been configured to support SPNEGO
> >>> only. NTLM is not include in the authentication challenge as a supported
> >>> option.
> >>>
> >>> Oleg
> >>>
> >>>> 2012/06/05 15:13:53:654 WEST [DEBUG] headers -<< Connection: keep-alive
> >>>> 2012/06/05 15:13:53:654 WEST [DEBUG] headers -<< Content-Type:
> >>>> text/html;charset=utf-8
> >>>> 2012/06/05 15:13:53:654 WEST [DEBUG] headers -<< Content-Length: 952
> >>>> 2012/06/05 15:13:53:654 WEST [DEBUG] headers -<< Date: Tue, 05 Jun 2012
> >>>> 14:14:50 GMT
> >>>> 2012/06/05 15:13:53:660 WEST [DEBUG] DefaultHttpClient - Connection can
> >>>> be kept alive indefinitely
> >>>> 2012/06/05 15:13:53:660 WEST [DEBUG] DefaultHttpClient -
> >>>> 172.27.192.171:8080 requested authentication
> >>>> 2012/06/05 15:13:53:661 WEST [DEBUG] TargetAuthenticationStrategy -
> >>>> Authentication schemes in the order of preference: [negotiate, Kerberos,
> >>>> NTLM, Digest, Basic]
> >>>> 2012/06/05 15:13:53:675 WEST [DEBUG] SPNegoScheme - Received challenge
> >>>> '' from the auth server
> >>>> 2012/06/05 15:13:53:676 WEST [DEBUG] TargetAuthenticationStrategy -
> >>>> Challenge for Kerberos authentication scheme not available
> >>>> 2012/06/05 15:13:53:676 WEST [DEBUG] TargetAuthenticationStrategy -
> >>>> Challenge for NTLM authentication scheme not available
> >>>> 2012/06/05 15:13:53:677 WEST [DEBUG] TargetAuthenticationStrategy -
> >>>> Challenge for Digest authentication scheme not available
> >>>> 2012/06/05 15:13:53:677 WEST [DEBUG] TargetAuthenticationStrategy -
> >>>> Challenge for Basic authentication scheme not available
> >>>> 2012/06/05 15:13:53:677 WEST [DEBUG] DefaultHttpClient - Selected
> >>>> authentication options: [NEGOTIATE]
> >>>> 2012/06/05 15:13:53:678 WEST [DEBUG] RequestAddCookies - CookieSpec
> >>>> selected: best-match
> >>>> 2012/06/05 15:13:53:678 WEST [DEBUG] RequestAuthCache - Auth cache not
> >>>> set in the context
> >>>> 2012/06/05 15:13:53:678 WEST [DEBUG] RequestTargetAuthentication -
> >>>> Target auth state: CHALLENGED
> >>>> 2012/06/05 15:13:53:678 WEST [DEBUG] RequestTargetAuthentication -
> >>>> Generating response to an authentication challenge using Negotiate scheme
> >>>> 2012/06/05 15:13:53:679 WEST [DEBUG] SPNegoScheme - init 172.27.192.171:8080
> >>>> 2012/06/05 15:13:53:750 WEST [WARN] RequestTargetAuthentication -
> >>>> NEGOTIATE authentication error: No valid credentials provided (Mechanism
> >>>> level: No valid credentials provided (Mechanism level: Failed to find
> >>>> any Kerberos tgt))
> >>>> 2012/06/05 15:13:53:750 WEST [DEBUG] RequestProxyAuthentication - Proxy
> >>>> auth state: UNCHALLENGED
> >>>> 2012/06/05 15:13:53:750 WEST [DEBUG] DefaultHttpClient - Attempt 2 to
> >>>> execute request
> >>>> 2012/06/05 15:13:53:750 WEST [DEBUG] DefaultClientConnection - Sending
> >>>> request: GET /services/files/ HTTP/1.1
> >>>> 2012/06/05 15:13:53:751 WEST [DEBUG] headers ->> GET /services/files/
> >>>> HTTP/1.1
> >>>> 2012/06/05 15:13:53:751 WEST [DEBUG] headers ->> Host: 172.27.192.171:8080
> >>>> 2012/06/05 15:13:53:751 WEST [DEBUG] headers ->> Connection: Keep-Alive
> >>>> 2012/06/05 15:13:53:751 WEST [DEBUG] headers ->> User-Agent:
> >>>> Apache-HttpClient/4.2 (java 1.5)
> >>>> 2012/06/05 15:13:53:776 WEST [DEBUG] DefaultClientConnection - Receiving
> >>>> response: HTTP/1.1 401 Unauthorized
> >>>> ----------------------------------------
> >>>> HTTP/1.1 401 Unauthorized
> >>>> 2012/06/05 15:13:53:776 WEST [DEBUG] headers -<< HTTP/1.1 401 Unauthorized
> >>>> Response content length: 952
> >>>> 2012/06/05 15:13:53:776 WEST [DEBUG] headers -<< Server: Apache-Coyote/1.1
> >>>> 2012/06/05 15:13:53:776 WEST [DEBUG] headers -<< X-Powered-By:
> >>>> Servlet/3.0; JBossAS-6
> >>>> 2012/06/05 15:13:53:776 WEST [DEBUG] headers -<< WWW-Authenticate:
> >>>> Negotiate
> >>>> 2012/06/05 15:13:53:777 WEST [DEBUG] headers -<< Connection: keep-alive
> >>>> 2012/06/05 15:13:53:777 WEST [DEBUG] headers -<< Content-Type:
> >>>> text/html;charset=utf-8
> >>>> 2012/06/05 15:13:53:777 WEST [DEBUG] headers -<< Content-Length: 952
> >>>> 2012/06/05 15:13:53:777 WEST [DEBUG] headers -<< Date: Tue, 05 Jun 2012
> >>>> 14:14:50 GMT
> >>>> 2012/06/05 15:13:53:777 WEST [DEBUG] DefaultHttpClient - Connection can
> >>>> be kept alive indefinitely
> >>>> 2012/06/05 15:13:53:777 WEST [DEBUG] DefaultHttpClient -
> >>>> 172.27.192.171:8080 requested authentication
> >>>> 2012/06/05 15:13:53:778 WEST [DEBUG] DefaultHttpClient - Authorization
> >>>> challenge processed
> >>>> 2012/06/05 15:13:53:778 WEST [DEBUG] SPNegoScheme - Received challenge
> >>>> '' from the auth server
> >>>> 2012/06/05 15:13:53:778 WEST [DEBUG] SPNegoScheme - Authentication
> >>>> already attempted
> >>>> 2012/06/05 15:13:53:780 WEST [DEBUG] DefaultHttpClient - Authentication
> >>>> failed
> >>>> 2012/06/05 15:13:53:783 WEST [DEBUG] BasicClientConnectionManager -
> >>>> Releasing connection
> >>>> org.apache.http.impl.conn.ManagedClientConnectionImpl@7f565474
> >>>> 2012/06/05 15:13:53:783 WEST [DEBUG] BasicClientConnectionManager -
> >>>> Connection can be kept alive indefinitely
> >>>> 2012/06/05 15:13:53:783 WEST [DEBUG] DefaultClientConnection -
> >>>> Connection 0.0.0.0:43639<->172.27.192.171:8080 closed
> >>>>
> >>>> Kind regards,
> >>>> Pedro Saraiva
> >>>>
> >>>> Em 05-06-2012 15:00, Oleg Kalnichevski escreveu:
> >>>>> On Tue, 2012-06-05 at 11:52 +0100, Pedro Saraiva wrote:
> >>>>>> Hello,
> >>>>>>
> >>>>>> I have a site protected with SPNEGO. The authentication can be performed
> >>>>>> with both Kerberos and NTLMv2.
> >>>>>>
> >>>>>> I'm trying to use HttpClient 4.2 to authenticate against this site
> >>>>>> through NTLMv2 but without success so far. Here's my sample code:
> >>>>>>
> >>>>>> HttpHost targetHost = new HttpHost("172.27.192.171", 8080, "http");
> >>>>>>
> >>>>>> DefaultHttpClient httpclient = new DefaultHttpClient();
> >>>>>>
> >>>>>> try {
> >>>>>> httpclient.getCredentialsProvider().setCredentials(
> >>>>>> new AuthScope(targetHost.getHostName(),
> >>>>>> targetHost.getPort()),
> >>>>>> new NTCredentials("psaraiva", "psaraiva",
> >>>>>> InetAddress.getLocalHost().getHostName(), "DEV"));
> >>>>>> //new UsernamePasswordCredentials("psaraiva",
> >>>>>> "psaraiva" ));
> >>>>>>
> >>>>>> // Create AuthCache instance
> >>>>>> AuthCache authCache = new BasicAuthCache();
> >>>>>> // Generate BASIC scheme object and add it to the local
> >>>>>> // auth cache
> >>>>>> BasicScheme basicAuth = new BasicScheme();
> >>>>>> authCache.put(targetHost, basicAuth);
> >>>>>>
> >>>>>> // Add AuthCache to the execution context
> >>>>>> BasicHttpContext localcontext = new BasicHttpContext();
> >>>>>> localcontext.setAttribute(ClientContext.AUTH_CACHE, authCache);
> >>>>>>
> >>>>>> HttpGet httpget = new HttpGet("/services/files/");
> >>>>>>
> >>>>>> System.out.println("executing request: " +
> >>>>>> httpget.getRequestLine());
> >>>>>> System.out.println("to target: " + targetHost);
> >>>>>>
> >>>>>> HttpResponse response = httpclient.execute(targetHost,
> >>>>>> httpget);//, localcontext);
> >>>>>> HttpEntity entity = response.getEntity();
> >>>>>>
> >>>>>>
> >>>>>> System.out.println("----------------------------------------");
> >>>>>> System.out.println(response.getStatusLine());
> >>>>>> if (entity != null) {
> >>>>>> System.out.println("Response content length: " +
> >>>>>> entity.getContentLength());
> >>>>>> }
> >>>>>> EntityUtils.consume(entity);
> >>>>>>
> >>>>>> } finally {
> >>>>>> // When HttpClient instance is no longer needed,
> >>>>>> // shut down the connection manager to ensure
> >>>>>> // immediate deallocation of all system resources
> >>>>>> httpclient.getConnectionManager().shutdown();
> >>>>>> }
> >>>>>>
> >>>>>> HttpClient seems to only try the Kerberos authentication and outputs the
> >>>>>> following warning:
> >>>>>> WARN [main] (RequestAuthenticationBase.java:88) - NEGOTIATE
> >>>>>> authentication error: No valid credentials provided (Mechanism level: No
> >>>>>> valid credentials provided (Mechanism level: Failed to find any Kerberos
> >>>>>> tgt))
> >>>>>>
> >>>>>> However, I want it to force it to use NTLMv2. From the HttpClient NTLM
> >>>>>> auth page it states that NTLMv2 is supported since version 4.1.
> >>>>>>
> >>>>>> Does HttpClient 4.2 support NTLMv2 over SPNEGO? Or it's my bad
> >>>>>> configuration that's causing it not to use NTLMv2?
> >>>>>>
> >>>>>> Kind regards,
> >>>>>>
> >>>>>> Pedro Saraiva
> >>>>>>
> >>>>> Hi Pedro
> >>>>>
> >>>>> Generally SPNEGO takes precedence over NTLM per default but HttpClient
> >>>>> 4.2 should have automatically attempted to authenticate with NTLM after
> >>>>> SPNEGO failure.
> >>>>>
> >>>>> Could you please post a complete wire log of the HTTP session?
> >>>>>
> >>>>> http://hc.apache.org/httpcomponents-client-ga/logging.html
> >>>>>
> >>>>> Oleg
> >>>>>
> >>>>>
> >>>>>
> >>>>> ---------------------------------------------------------------------
> >>>>> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> >>>>> For additional commands, e-mail: httpclient-users-help@hc.apache.org
> >>>>>
> >>>> ---------------------------------------------------------------------
> >>>> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> >>>> For additional commands, e-mail: httpclient-users-help@hc.apache.org
> >>>>
> >>>
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> >>> For additional commands, e-mail: httpclient-users-help@hc.apache.org
> >>>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> >> For additional commands, e-mail: httpclient-users-help@hc.apache.org
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: SPNEGO and NTLMv2
Posted by Pedro Saraiva <ps...@maisis.pt>.
Hello,
I don't think the browser is guessing, it's how the SPNEGO from
Microsoft works.
Using the code you provided with a slight modification:
public void process(
HttpResponse response,
HttpContext context) throws HttpException, IOException {
if (response.getStatusLine().getStatusCode() == 401) {
Header ua = response.getFirstHeader("X-Powered-By");
if (ua != null&& ua.getValue()
.equalsIgnoreCase("Servlet/3.0; JBossAS-6")) {
Header challenge = response.getFirstHeader(
AUTH.WWW_AUTH);
if (challenge != null&& challenge.getValue()
.equalsIgnoreCase("Negotiate")) {
response.setHeader(AUTH.WWW_AUTH,
"Negotiate");
response.addHeader(AUTH.WWW_AUTH,
"NTLM");
}
}
}
}
The server outputs: Unsupported security package: NTLM. That's because
it's configured to not support NTLMv1.
Analysing the packets httpclient versus browser the difference seems to
be in the authorization header:
- HttpClient: Authorization: NTLM TlRMTVNT...
- Browser: Authorization: Negotiate TlRMTVNT...
Kind regards,
Pedro Saraiva
Em 05-06-2012 20:53, Oleg Kalnichevski escreveu:
> On Tue, 2012-06-05 at 16:03 +0100, Pedro Saraiva wrote:
>> Hi,
>>
>> The server sends only Negotiate, but the negotiable sub-mechanisms
>> include Kerberos and NTLMv2 (not NTLM). I think that's why it's called
>> Negotiate: the server and the client can agree uppon a supported
>> mechanism by both.
>> In attachment goes a screenshot of wireshark that shows the packets sent
>> during a session between a browser and the server.
>> As you can see the server sends a Unauthorized with only
>> WWW-Authenticate: Negotiate. Then the browser starts the negotiation
>> with the server using NTLMv2.
>>
>> Kind regards,
>>
>> Pedro Saraiva
>>
> Pedro
>
> HttpClient is not a browser and is not supposed to do any guessing. The
> server is clearly misbehaving by not including NTLM in the challenge
> while still accepting NTLM as a valid authentication scheme.
>
> There are several ways you can force HttpClient to use NTLM instead of
> or in addition to SPNEGO.
>
> (1) by forcing NTLM auth scheme to be used in response to SPNEGO
> challenge
>
> ---
> DefaultHttpClient httpclient = new DefaultHttpClient();
> httpclient.getAuthSchemes().register(AuthPolicy.SPNEGO,
> new NTLMSchemeFactory());
> ---
>
> (2) by rewriting the auth challenge header
>
> ---
> DefaultHttpClient httpclient = new DefaultHttpClient();
> httpclient.addResponseInterceptor(new HttpResponseInterceptor() {
>
> public void process(
> HttpResponse response,
> HttpContext context) throws HttpException, IOException {
> if (response.getStatusLine().getStatusCode() == 401) {
> Header ua = response.getFirstHeader("X-Powered-By");
> if (ua != null&& ua.getValue()
> .equalsIgnoreCase("Servlet/3.0; JBossAS-6")) {
> Header challenge = response.getFirstHeader(
> AUTH.WWW_AUTH);
> if (challenge != null&& challenge.getValue()
> .equalsIgnoreCase("Negotiate")) {
> response.setHeader(AUTH.WWW_AUTH,
> "Negotiate, NTLM");
> }
> }
> }
> }
> });
> ---
>
> Hope this helps
>
> Oleg
>
>> Em 05-06-2012 15:31, Oleg Kalnichevski escreveu:
>>> On Tue, 2012-06-05 at 15:19 +0100, Pedro Saraiva wrote:
>>>> Hi Oleg,
>>>>
>>>> Here's the session log from the code I posted earlier:
>>>>
>>>> executing request: GET /services/files/ HTTP/1.1
>>>> to target: http://172.27.192.171:8080
>>>> 2012/06/05 15:13:53:580 WEST [DEBUG] BasicClientConnectionManager - Get
>>>> connection for route {}->http://172.27.192.171:8080
>>>> 2012/06/05 15:13:53:604 WEST [DEBUG] DefaultClientConnectionOperator -
>>>> Connecting to 172.27.192.171:8080
>>>> 2012/06/05 15:13:53:625 WEST [DEBUG] RequestAddCookies - CookieSpec
>>>> selected: best-match
>>>> 2012/06/05 15:13:53:643 WEST [DEBUG] RequestAuthCache - Auth cache not
>>>> set in the context
>>>> 2012/06/05 15:13:53:644 WEST [DEBUG] RequestTargetAuthentication -
>>>> Target auth state: UNCHALLENGED
>>>> 2012/06/05 15:13:53:644 WEST [DEBUG] RequestProxyAuthentication - Proxy
>>>> auth state: UNCHALLENGED
>>>> 2012/06/05 15:13:53:644 WEST [DEBUG] DefaultHttpClient - Attempt 1 to
>>>> execute request
>>>> 2012/06/05 15:13:53:645 WEST [DEBUG] DefaultClientConnection - Sending
>>>> request: GET /services/files/ HTTP/1.1
>>>> 2012/06/05 15:13:53:646 WEST [DEBUG] headers ->> GET /services/files/
>>>> HTTP/1.1
>>>> 2012/06/05 15:13:53:646 WEST [DEBUG] headers ->> Host: 172.27.192.171:8080
>>>> 2012/06/05 15:13:53:646 WEST [DEBUG] headers ->> Connection: Keep-Alive
>>>> 2012/06/05 15:13:53:646 WEST [DEBUG] headers ->> User-Agent:
>>>> Apache-HttpClient/4.2 (java 1.5)
>>>> 2012/06/05 15:13:53:653 WEST [DEBUG] DefaultClientConnection - Receiving
>>>> response: HTTP/1.1 401 Unauthorized
>>>> 2012/06/05 15:13:53:653 WEST [DEBUG] headers -<< HTTP/1.1 401 Unauthorized
>>>> 2012/06/05 15:13:53:653 WEST [DEBUG] headers -<< Server: Apache-Coyote/1.1
>>>> 2012/06/05 15:13:53:654 WEST [DEBUG] headers -<< X-Powered-By:
>>>> Servlet/3.0; JBossAS-6
>>>> 2012/06/05 15:13:53:654 WEST [DEBUG] headers -<< WWW-Authenticate:
>>>> Negotiate
>>> Well, as you can see the server has been configured to support SPNEGO
>>> only. NTLM is not include in the authentication challenge as a supported
>>> option.
>>>
>>> Oleg
>>>
>>>> 2012/06/05 15:13:53:654 WEST [DEBUG] headers -<< Connection: keep-alive
>>>> 2012/06/05 15:13:53:654 WEST [DEBUG] headers -<< Content-Type:
>>>> text/html;charset=utf-8
>>>> 2012/06/05 15:13:53:654 WEST [DEBUG] headers -<< Content-Length: 952
>>>> 2012/06/05 15:13:53:654 WEST [DEBUG] headers -<< Date: Tue, 05 Jun 2012
>>>> 14:14:50 GMT
>>>> 2012/06/05 15:13:53:660 WEST [DEBUG] DefaultHttpClient - Connection can
>>>> be kept alive indefinitely
>>>> 2012/06/05 15:13:53:660 WEST [DEBUG] DefaultHttpClient -
>>>> 172.27.192.171:8080 requested authentication
>>>> 2012/06/05 15:13:53:661 WEST [DEBUG] TargetAuthenticationStrategy -
>>>> Authentication schemes in the order of preference: [negotiate, Kerberos,
>>>> NTLM, Digest, Basic]
>>>> 2012/06/05 15:13:53:675 WEST [DEBUG] SPNegoScheme - Received challenge
>>>> '' from the auth server
>>>> 2012/06/05 15:13:53:676 WEST [DEBUG] TargetAuthenticationStrategy -
>>>> Challenge for Kerberos authentication scheme not available
>>>> 2012/06/05 15:13:53:676 WEST [DEBUG] TargetAuthenticationStrategy -
>>>> Challenge for NTLM authentication scheme not available
>>>> 2012/06/05 15:13:53:677 WEST [DEBUG] TargetAuthenticationStrategy -
>>>> Challenge for Digest authentication scheme not available
>>>> 2012/06/05 15:13:53:677 WEST [DEBUG] TargetAuthenticationStrategy -
>>>> Challenge for Basic authentication scheme not available
>>>> 2012/06/05 15:13:53:677 WEST [DEBUG] DefaultHttpClient - Selected
>>>> authentication options: [NEGOTIATE]
>>>> 2012/06/05 15:13:53:678 WEST [DEBUG] RequestAddCookies - CookieSpec
>>>> selected: best-match
>>>> 2012/06/05 15:13:53:678 WEST [DEBUG] RequestAuthCache - Auth cache not
>>>> set in the context
>>>> 2012/06/05 15:13:53:678 WEST [DEBUG] RequestTargetAuthentication -
>>>> Target auth state: CHALLENGED
>>>> 2012/06/05 15:13:53:678 WEST [DEBUG] RequestTargetAuthentication -
>>>> Generating response to an authentication challenge using Negotiate scheme
>>>> 2012/06/05 15:13:53:679 WEST [DEBUG] SPNegoScheme - init 172.27.192.171:8080
>>>> 2012/06/05 15:13:53:750 WEST [WARN] RequestTargetAuthentication -
>>>> NEGOTIATE authentication error: No valid credentials provided (Mechanism
>>>> level: No valid credentials provided (Mechanism level: Failed to find
>>>> any Kerberos tgt))
>>>> 2012/06/05 15:13:53:750 WEST [DEBUG] RequestProxyAuthentication - Proxy
>>>> auth state: UNCHALLENGED
>>>> 2012/06/05 15:13:53:750 WEST [DEBUG] DefaultHttpClient - Attempt 2 to
>>>> execute request
>>>> 2012/06/05 15:13:53:750 WEST [DEBUG] DefaultClientConnection - Sending
>>>> request: GET /services/files/ HTTP/1.1
>>>> 2012/06/05 15:13:53:751 WEST [DEBUG] headers ->> GET /services/files/
>>>> HTTP/1.1
>>>> 2012/06/05 15:13:53:751 WEST [DEBUG] headers ->> Host: 172.27.192.171:8080
>>>> 2012/06/05 15:13:53:751 WEST [DEBUG] headers ->> Connection: Keep-Alive
>>>> 2012/06/05 15:13:53:751 WEST [DEBUG] headers ->> User-Agent:
>>>> Apache-HttpClient/4.2 (java 1.5)
>>>> 2012/06/05 15:13:53:776 WEST [DEBUG] DefaultClientConnection - Receiving
>>>> response: HTTP/1.1 401 Unauthorized
>>>> ----------------------------------------
>>>> HTTP/1.1 401 Unauthorized
>>>> 2012/06/05 15:13:53:776 WEST [DEBUG] headers -<< HTTP/1.1 401 Unauthorized
>>>> Response content length: 952
>>>> 2012/06/05 15:13:53:776 WEST [DEBUG] headers -<< Server: Apache-Coyote/1.1
>>>> 2012/06/05 15:13:53:776 WEST [DEBUG] headers -<< X-Powered-By:
>>>> Servlet/3.0; JBossAS-6
>>>> 2012/06/05 15:13:53:776 WEST [DEBUG] headers -<< WWW-Authenticate:
>>>> Negotiate
>>>> 2012/06/05 15:13:53:777 WEST [DEBUG] headers -<< Connection: keep-alive
>>>> 2012/06/05 15:13:53:777 WEST [DEBUG] headers -<< Content-Type:
>>>> text/html;charset=utf-8
>>>> 2012/06/05 15:13:53:777 WEST [DEBUG] headers -<< Content-Length: 952
>>>> 2012/06/05 15:13:53:777 WEST [DEBUG] headers -<< Date: Tue, 05 Jun 2012
>>>> 14:14:50 GMT
>>>> 2012/06/05 15:13:53:777 WEST [DEBUG] DefaultHttpClient - Connection can
>>>> be kept alive indefinitely
>>>> 2012/06/05 15:13:53:777 WEST [DEBUG] DefaultHttpClient -
>>>> 172.27.192.171:8080 requested authentication
>>>> 2012/06/05 15:13:53:778 WEST [DEBUG] DefaultHttpClient - Authorization
>>>> challenge processed
>>>> 2012/06/05 15:13:53:778 WEST [DEBUG] SPNegoScheme - Received challenge
>>>> '' from the auth server
>>>> 2012/06/05 15:13:53:778 WEST [DEBUG] SPNegoScheme - Authentication
>>>> already attempted
>>>> 2012/06/05 15:13:53:780 WEST [DEBUG] DefaultHttpClient - Authentication
>>>> failed
>>>> 2012/06/05 15:13:53:783 WEST [DEBUG] BasicClientConnectionManager -
>>>> Releasing connection
>>>> org.apache.http.impl.conn.ManagedClientConnectionImpl@7f565474
>>>> 2012/06/05 15:13:53:783 WEST [DEBUG] BasicClientConnectionManager -
>>>> Connection can be kept alive indefinitely
>>>> 2012/06/05 15:13:53:783 WEST [DEBUG] DefaultClientConnection -
>>>> Connection 0.0.0.0:43639<->172.27.192.171:8080 closed
>>>>
>>>> Kind regards,
>>>> Pedro Saraiva
>>>>
>>>> Em 05-06-2012 15:00, Oleg Kalnichevski escreveu:
>>>>> On Tue, 2012-06-05 at 11:52 +0100, Pedro Saraiva wrote:
>>>>>> Hello,
>>>>>>
>>>>>> I have a site protected with SPNEGO. The authentication can be performed
>>>>>> with both Kerberos and NTLMv2.
>>>>>>
>>>>>> I'm trying to use HttpClient 4.2 to authenticate against this site
>>>>>> through NTLMv2 but without success so far. Here's my sample code:
>>>>>>
>>>>>> HttpHost targetHost = new HttpHost("172.27.192.171", 8080, "http");
>>>>>>
>>>>>> DefaultHttpClient httpclient = new DefaultHttpClient();
>>>>>>
>>>>>> try {
>>>>>> httpclient.getCredentialsProvider().setCredentials(
>>>>>> new AuthScope(targetHost.getHostName(),
>>>>>> targetHost.getPort()),
>>>>>> new NTCredentials("psaraiva", "psaraiva",
>>>>>> InetAddress.getLocalHost().getHostName(), "DEV"));
>>>>>> //new UsernamePasswordCredentials("psaraiva",
>>>>>> "psaraiva" ));
>>>>>>
>>>>>> // Create AuthCache instance
>>>>>> AuthCache authCache = new BasicAuthCache();
>>>>>> // Generate BASIC scheme object and add it to the local
>>>>>> // auth cache
>>>>>> BasicScheme basicAuth = new BasicScheme();
>>>>>> authCache.put(targetHost, basicAuth);
>>>>>>
>>>>>> // Add AuthCache to the execution context
>>>>>> BasicHttpContext localcontext = new BasicHttpContext();
>>>>>> localcontext.setAttribute(ClientContext.AUTH_CACHE, authCache);
>>>>>>
>>>>>> HttpGet httpget = new HttpGet("/services/files/");
>>>>>>
>>>>>> System.out.println("executing request: " +
>>>>>> httpget.getRequestLine());
>>>>>> System.out.println("to target: " + targetHost);
>>>>>>
>>>>>> HttpResponse response = httpclient.execute(targetHost,
>>>>>> httpget);//, localcontext);
>>>>>> HttpEntity entity = response.getEntity();
>>>>>>
>>>>>>
>>>>>> System.out.println("----------------------------------------");
>>>>>> System.out.println(response.getStatusLine());
>>>>>> if (entity != null) {
>>>>>> System.out.println("Response content length: " +
>>>>>> entity.getContentLength());
>>>>>> }
>>>>>> EntityUtils.consume(entity);
>>>>>>
>>>>>> } finally {
>>>>>> // When HttpClient instance is no longer needed,
>>>>>> // shut down the connection manager to ensure
>>>>>> // immediate deallocation of all system resources
>>>>>> httpclient.getConnectionManager().shutdown();
>>>>>> }
>>>>>>
>>>>>> HttpClient seems to only try the Kerberos authentication and outputs the
>>>>>> following warning:
>>>>>> WARN [main] (RequestAuthenticationBase.java:88) - NEGOTIATE
>>>>>> authentication error: No valid credentials provided (Mechanism level: No
>>>>>> valid credentials provided (Mechanism level: Failed to find any Kerberos
>>>>>> tgt))
>>>>>>
>>>>>> However, I want it to force it to use NTLMv2. From the HttpClient NTLM
>>>>>> auth page it states that NTLMv2 is supported since version 4.1.
>>>>>>
>>>>>> Does HttpClient 4.2 support NTLMv2 over SPNEGO? Or it's my bad
>>>>>> configuration that's causing it not to use NTLMv2?
>>>>>>
>>>>>> Kind regards,
>>>>>>
>>>>>> Pedro Saraiva
>>>>>>
>>>>> Hi Pedro
>>>>>
>>>>> Generally SPNEGO takes precedence over NTLM per default but HttpClient
>>>>> 4.2 should have automatically attempted to authenticate with NTLM after
>>>>> SPNEGO failure.
>>>>>
>>>>> Could you please post a complete wire log of the HTTP session?
>>>>>
>>>>> http://hc.apache.org/httpcomponents-client-ga/logging.html
>>>>>
>>>>> Oleg
>>>>>
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
>>>>> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
>>>> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
>>> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
>> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: SPNEGO and NTLMv2
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Tue, 2012-06-05 at 16:03 +0100, Pedro Saraiva wrote:
> Hi,
>
> The server sends only Negotiate, but the negotiable sub-mechanisms
> include Kerberos and NTLMv2 (not NTLM). I think that's why it's called
> Negotiate: the server and the client can agree uppon a supported
> mechanism by both.
> In attachment goes a screenshot of wireshark that shows the packets sent
> during a session between a browser and the server.
> As you can see the server sends a Unauthorized with only
> WWW-Authenticate: Negotiate. Then the browser starts the negotiation
> with the server using NTLMv2.
>
> Kind regards,
>
> Pedro Saraiva
>
Pedro
HttpClient is not a browser and is not supposed to do any guessing. The
server is clearly misbehaving by not including NTLM in the challenge
while still accepting NTLM as a valid authentication scheme.
There are several ways you can force HttpClient to use NTLM instead of
or in addition to SPNEGO.
(1) by forcing NTLM auth scheme to be used in response to SPNEGO
challenge
---
DefaultHttpClient httpclient = new DefaultHttpClient();
httpclient.getAuthSchemes().register(AuthPolicy.SPNEGO,
new NTLMSchemeFactory());
---
(2) by rewriting the auth challenge header
---
DefaultHttpClient httpclient = new DefaultHttpClient();
httpclient.addResponseInterceptor(new HttpResponseInterceptor() {
public void process(
HttpResponse response,
HttpContext context) throws HttpException, IOException {
if (response.getStatusLine().getStatusCode() == 401) {
Header ua = response.getFirstHeader("X-Powered-By");
if (ua != null && ua.getValue()
.equalsIgnoreCase("Servlet/3.0; JBossAS-6")) {
Header challenge = response.getFirstHeader(
AUTH.WWW_AUTH);
if (challenge != null && challenge.getValue()
.equalsIgnoreCase("Negotiate")) {
response.setHeader(AUTH.WWW_AUTH,
"Negotiate, NTLM");
}
}
}
}
});
---
Hope this helps
Oleg
> Em 05-06-2012 15:31, Oleg Kalnichevski escreveu:
> > On Tue, 2012-06-05 at 15:19 +0100, Pedro Saraiva wrote:
> >> Hi Oleg,
> >>
> >> Here's the session log from the code I posted earlier:
> >>
> >> executing request: GET /services/files/ HTTP/1.1
> >> to target: http://172.27.192.171:8080
> >> 2012/06/05 15:13:53:580 WEST [DEBUG] BasicClientConnectionManager - Get
> >> connection for route {}->http://172.27.192.171:8080
> >> 2012/06/05 15:13:53:604 WEST [DEBUG] DefaultClientConnectionOperator -
> >> Connecting to 172.27.192.171:8080
> >> 2012/06/05 15:13:53:625 WEST [DEBUG] RequestAddCookies - CookieSpec
> >> selected: best-match
> >> 2012/06/05 15:13:53:643 WEST [DEBUG] RequestAuthCache - Auth cache not
> >> set in the context
> >> 2012/06/05 15:13:53:644 WEST [DEBUG] RequestTargetAuthentication -
> >> Target auth state: UNCHALLENGED
> >> 2012/06/05 15:13:53:644 WEST [DEBUG] RequestProxyAuthentication - Proxy
> >> auth state: UNCHALLENGED
> >> 2012/06/05 15:13:53:644 WEST [DEBUG] DefaultHttpClient - Attempt 1 to
> >> execute request
> >> 2012/06/05 15:13:53:645 WEST [DEBUG] DefaultClientConnection - Sending
> >> request: GET /services/files/ HTTP/1.1
> >> 2012/06/05 15:13:53:646 WEST [DEBUG] headers ->> GET /services/files/
> >> HTTP/1.1
> >> 2012/06/05 15:13:53:646 WEST [DEBUG] headers ->> Host: 172.27.192.171:8080
> >> 2012/06/05 15:13:53:646 WEST [DEBUG] headers ->> Connection: Keep-Alive
> >> 2012/06/05 15:13:53:646 WEST [DEBUG] headers ->> User-Agent:
> >> Apache-HttpClient/4.2 (java 1.5)
> >> 2012/06/05 15:13:53:653 WEST [DEBUG] DefaultClientConnection - Receiving
> >> response: HTTP/1.1 401 Unauthorized
> >> 2012/06/05 15:13:53:653 WEST [DEBUG] headers -<< HTTP/1.1 401 Unauthorized
> >> 2012/06/05 15:13:53:653 WEST [DEBUG] headers -<< Server: Apache-Coyote/1.1
> >> 2012/06/05 15:13:53:654 WEST [DEBUG] headers -<< X-Powered-By:
> >> Servlet/3.0; JBossAS-6
> >> 2012/06/05 15:13:53:654 WEST [DEBUG] headers -<< WWW-Authenticate:
> >> Negotiate
> > Well, as you can see the server has been configured to support SPNEGO
> > only. NTLM is not include in the authentication challenge as a supported
> > option.
> >
> > Oleg
> >
> >> 2012/06/05 15:13:53:654 WEST [DEBUG] headers -<< Connection: keep-alive
> >> 2012/06/05 15:13:53:654 WEST [DEBUG] headers -<< Content-Type:
> >> text/html;charset=utf-8
> >> 2012/06/05 15:13:53:654 WEST [DEBUG] headers -<< Content-Length: 952
> >> 2012/06/05 15:13:53:654 WEST [DEBUG] headers -<< Date: Tue, 05 Jun 2012
> >> 14:14:50 GMT
> >> 2012/06/05 15:13:53:660 WEST [DEBUG] DefaultHttpClient - Connection can
> >> be kept alive indefinitely
> >> 2012/06/05 15:13:53:660 WEST [DEBUG] DefaultHttpClient -
> >> 172.27.192.171:8080 requested authentication
> >> 2012/06/05 15:13:53:661 WEST [DEBUG] TargetAuthenticationStrategy -
> >> Authentication schemes in the order of preference: [negotiate, Kerberos,
> >> NTLM, Digest, Basic]
> >> 2012/06/05 15:13:53:675 WEST [DEBUG] SPNegoScheme - Received challenge
> >> '' from the auth server
> >> 2012/06/05 15:13:53:676 WEST [DEBUG] TargetAuthenticationStrategy -
> >> Challenge for Kerberos authentication scheme not available
> >> 2012/06/05 15:13:53:676 WEST [DEBUG] TargetAuthenticationStrategy -
> >> Challenge for NTLM authentication scheme not available
> >> 2012/06/05 15:13:53:677 WEST [DEBUG] TargetAuthenticationStrategy -
> >> Challenge for Digest authentication scheme not available
> >> 2012/06/05 15:13:53:677 WEST [DEBUG] TargetAuthenticationStrategy -
> >> Challenge for Basic authentication scheme not available
> >> 2012/06/05 15:13:53:677 WEST [DEBUG] DefaultHttpClient - Selected
> >> authentication options: [NEGOTIATE]
> >> 2012/06/05 15:13:53:678 WEST [DEBUG] RequestAddCookies - CookieSpec
> >> selected: best-match
> >> 2012/06/05 15:13:53:678 WEST [DEBUG] RequestAuthCache - Auth cache not
> >> set in the context
> >> 2012/06/05 15:13:53:678 WEST [DEBUG] RequestTargetAuthentication -
> >> Target auth state: CHALLENGED
> >> 2012/06/05 15:13:53:678 WEST [DEBUG] RequestTargetAuthentication -
> >> Generating response to an authentication challenge using Negotiate scheme
> >> 2012/06/05 15:13:53:679 WEST [DEBUG] SPNegoScheme - init 172.27.192.171:8080
> >> 2012/06/05 15:13:53:750 WEST [WARN] RequestTargetAuthentication -
> >> NEGOTIATE authentication error: No valid credentials provided (Mechanism
> >> level: No valid credentials provided (Mechanism level: Failed to find
> >> any Kerberos tgt))
> >> 2012/06/05 15:13:53:750 WEST [DEBUG] RequestProxyAuthentication - Proxy
> >> auth state: UNCHALLENGED
> >> 2012/06/05 15:13:53:750 WEST [DEBUG] DefaultHttpClient - Attempt 2 to
> >> execute request
> >> 2012/06/05 15:13:53:750 WEST [DEBUG] DefaultClientConnection - Sending
> >> request: GET /services/files/ HTTP/1.1
> >> 2012/06/05 15:13:53:751 WEST [DEBUG] headers ->> GET /services/files/
> >> HTTP/1.1
> >> 2012/06/05 15:13:53:751 WEST [DEBUG] headers ->> Host: 172.27.192.171:8080
> >> 2012/06/05 15:13:53:751 WEST [DEBUG] headers ->> Connection: Keep-Alive
> >> 2012/06/05 15:13:53:751 WEST [DEBUG] headers ->> User-Agent:
> >> Apache-HttpClient/4.2 (java 1.5)
> >> 2012/06/05 15:13:53:776 WEST [DEBUG] DefaultClientConnection - Receiving
> >> response: HTTP/1.1 401 Unauthorized
> >> ----------------------------------------
> >> HTTP/1.1 401 Unauthorized
> >> 2012/06/05 15:13:53:776 WEST [DEBUG] headers -<< HTTP/1.1 401 Unauthorized
> >> Response content length: 952
> >> 2012/06/05 15:13:53:776 WEST [DEBUG] headers -<< Server: Apache-Coyote/1.1
> >> 2012/06/05 15:13:53:776 WEST [DEBUG] headers -<< X-Powered-By:
> >> Servlet/3.0; JBossAS-6
> >> 2012/06/05 15:13:53:776 WEST [DEBUG] headers -<< WWW-Authenticate:
> >> Negotiate
> >> 2012/06/05 15:13:53:777 WEST [DEBUG] headers -<< Connection: keep-alive
> >> 2012/06/05 15:13:53:777 WEST [DEBUG] headers -<< Content-Type:
> >> text/html;charset=utf-8
> >> 2012/06/05 15:13:53:777 WEST [DEBUG] headers -<< Content-Length: 952
> >> 2012/06/05 15:13:53:777 WEST [DEBUG] headers -<< Date: Tue, 05 Jun 2012
> >> 14:14:50 GMT
> >> 2012/06/05 15:13:53:777 WEST [DEBUG] DefaultHttpClient - Connection can
> >> be kept alive indefinitely
> >> 2012/06/05 15:13:53:777 WEST [DEBUG] DefaultHttpClient -
> >> 172.27.192.171:8080 requested authentication
> >> 2012/06/05 15:13:53:778 WEST [DEBUG] DefaultHttpClient - Authorization
> >> challenge processed
> >> 2012/06/05 15:13:53:778 WEST [DEBUG] SPNegoScheme - Received challenge
> >> '' from the auth server
> >> 2012/06/05 15:13:53:778 WEST [DEBUG] SPNegoScheme - Authentication
> >> already attempted
> >> 2012/06/05 15:13:53:780 WEST [DEBUG] DefaultHttpClient - Authentication
> >> failed
> >> 2012/06/05 15:13:53:783 WEST [DEBUG] BasicClientConnectionManager -
> >> Releasing connection
> >> org.apache.http.impl.conn.ManagedClientConnectionImpl@7f565474
> >> 2012/06/05 15:13:53:783 WEST [DEBUG] BasicClientConnectionManager -
> >> Connection can be kept alive indefinitely
> >> 2012/06/05 15:13:53:783 WEST [DEBUG] DefaultClientConnection -
> >> Connection 0.0.0.0:43639<->172.27.192.171:8080 closed
> >>
> >> Kind regards,
> >> Pedro Saraiva
> >>
> >> Em 05-06-2012 15:00, Oleg Kalnichevski escreveu:
> >>> On Tue, 2012-06-05 at 11:52 +0100, Pedro Saraiva wrote:
> >>>> Hello,
> >>>>
> >>>> I have a site protected with SPNEGO. The authentication can be performed
> >>>> with both Kerberos and NTLMv2.
> >>>>
> >>>> I'm trying to use HttpClient 4.2 to authenticate against this site
> >>>> through NTLMv2 but without success so far. Here's my sample code:
> >>>>
> >>>> HttpHost targetHost = new HttpHost("172.27.192.171", 8080, "http");
> >>>>
> >>>> DefaultHttpClient httpclient = new DefaultHttpClient();
> >>>>
> >>>> try {
> >>>> httpclient.getCredentialsProvider().setCredentials(
> >>>> new AuthScope(targetHost.getHostName(),
> >>>> targetHost.getPort()),
> >>>> new NTCredentials("psaraiva", "psaraiva",
> >>>> InetAddress.getLocalHost().getHostName(), "DEV"));
> >>>> //new UsernamePasswordCredentials("psaraiva",
> >>>> "psaraiva" ));
> >>>>
> >>>> // Create AuthCache instance
> >>>> AuthCache authCache = new BasicAuthCache();
> >>>> // Generate BASIC scheme object and add it to the local
> >>>> // auth cache
> >>>> BasicScheme basicAuth = new BasicScheme();
> >>>> authCache.put(targetHost, basicAuth);
> >>>>
> >>>> // Add AuthCache to the execution context
> >>>> BasicHttpContext localcontext = new BasicHttpContext();
> >>>> localcontext.setAttribute(ClientContext.AUTH_CACHE, authCache);
> >>>>
> >>>> HttpGet httpget = new HttpGet("/services/files/");
> >>>>
> >>>> System.out.println("executing request: " +
> >>>> httpget.getRequestLine());
> >>>> System.out.println("to target: " + targetHost);
> >>>>
> >>>> HttpResponse response = httpclient.execute(targetHost,
> >>>> httpget);//, localcontext);
> >>>> HttpEntity entity = response.getEntity();
> >>>>
> >>>>
> >>>> System.out.println("----------------------------------------");
> >>>> System.out.println(response.getStatusLine());
> >>>> if (entity != null) {
> >>>> System.out.println("Response content length: " +
> >>>> entity.getContentLength());
> >>>> }
> >>>> EntityUtils.consume(entity);
> >>>>
> >>>> } finally {
> >>>> // When HttpClient instance is no longer needed,
> >>>> // shut down the connection manager to ensure
> >>>> // immediate deallocation of all system resources
> >>>> httpclient.getConnectionManager().shutdown();
> >>>> }
> >>>>
> >>>> HttpClient seems to only try the Kerberos authentication and outputs the
> >>>> following warning:
> >>>> WARN [main] (RequestAuthenticationBase.java:88) - NEGOTIATE
> >>>> authentication error: No valid credentials provided (Mechanism level: No
> >>>> valid credentials provided (Mechanism level: Failed to find any Kerberos
> >>>> tgt))
> >>>>
> >>>> However, I want it to force it to use NTLMv2. From the HttpClient NTLM
> >>>> auth page it states that NTLMv2 is supported since version 4.1.
> >>>>
> >>>> Does HttpClient 4.2 support NTLMv2 over SPNEGO? Or it's my bad
> >>>> configuration that's causing it not to use NTLMv2?
> >>>>
> >>>> Kind regards,
> >>>>
> >>>> Pedro Saraiva
> >>>>
> >>> Hi Pedro
> >>>
> >>> Generally SPNEGO takes precedence over NTLM per default but HttpClient
> >>> 4.2 should have automatically attempted to authenticate with NTLM after
> >>> SPNEGO failure.
> >>>
> >>> Could you please post a complete wire log of the HTTP session?
> >>>
> >>> http://hc.apache.org/httpcomponents-client-ga/logging.html
> >>>
> >>> Oleg
> >>>
> >>>
> >>>
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> >>> For additional commands, e-mail: httpclient-users-help@hc.apache.org
> >>>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> >> For additional commands, e-mail: httpclient-users-help@hc.apache.org
> >>
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: SPNEGO and NTLMv2
Posted by Pedro Saraiva <ps...@maisis.pt>.
Hi,
The server sends only Negotiate, but the negotiable sub-mechanisms
include Kerberos and NTLMv2 (not NTLM). I think that's why it's called
Negotiate: the server and the client can agree uppon a supported
mechanism by both.
In attachment goes a screenshot of wireshark that shows the packets sent
during a session between a browser and the server.
As you can see the server sends a Unauthorized with only
WWW-Authenticate: Negotiate. Then the browser starts the negotiation
with the server using NTLMv2.
Kind regards,
Pedro Saraiva
Em 05-06-2012 15:31, Oleg Kalnichevski escreveu:
> On Tue, 2012-06-05 at 15:19 +0100, Pedro Saraiva wrote:
>> Hi Oleg,
>>
>> Here's the session log from the code I posted earlier:
>>
>> executing request: GET /services/files/ HTTP/1.1
>> to target: http://172.27.192.171:8080
>> 2012/06/05 15:13:53:580 WEST [DEBUG] BasicClientConnectionManager - Get
>> connection for route {}->http://172.27.192.171:8080
>> 2012/06/05 15:13:53:604 WEST [DEBUG] DefaultClientConnectionOperator -
>> Connecting to 172.27.192.171:8080
>> 2012/06/05 15:13:53:625 WEST [DEBUG] RequestAddCookies - CookieSpec
>> selected: best-match
>> 2012/06/05 15:13:53:643 WEST [DEBUG] RequestAuthCache - Auth cache not
>> set in the context
>> 2012/06/05 15:13:53:644 WEST [DEBUG] RequestTargetAuthentication -
>> Target auth state: UNCHALLENGED
>> 2012/06/05 15:13:53:644 WEST [DEBUG] RequestProxyAuthentication - Proxy
>> auth state: UNCHALLENGED
>> 2012/06/05 15:13:53:644 WEST [DEBUG] DefaultHttpClient - Attempt 1 to
>> execute request
>> 2012/06/05 15:13:53:645 WEST [DEBUG] DefaultClientConnection - Sending
>> request: GET /services/files/ HTTP/1.1
>> 2012/06/05 15:13:53:646 WEST [DEBUG] headers ->> GET /services/files/
>> HTTP/1.1
>> 2012/06/05 15:13:53:646 WEST [DEBUG] headers ->> Host: 172.27.192.171:8080
>> 2012/06/05 15:13:53:646 WEST [DEBUG] headers ->> Connection: Keep-Alive
>> 2012/06/05 15:13:53:646 WEST [DEBUG] headers ->> User-Agent:
>> Apache-HttpClient/4.2 (java 1.5)
>> 2012/06/05 15:13:53:653 WEST [DEBUG] DefaultClientConnection - Receiving
>> response: HTTP/1.1 401 Unauthorized
>> 2012/06/05 15:13:53:653 WEST [DEBUG] headers -<< HTTP/1.1 401 Unauthorized
>> 2012/06/05 15:13:53:653 WEST [DEBUG] headers -<< Server: Apache-Coyote/1.1
>> 2012/06/05 15:13:53:654 WEST [DEBUG] headers -<< X-Powered-By:
>> Servlet/3.0; JBossAS-6
>> 2012/06/05 15:13:53:654 WEST [DEBUG] headers -<< WWW-Authenticate:
>> Negotiate
> Well, as you can see the server has been configured to support SPNEGO
> only. NTLM is not include in the authentication challenge as a supported
> option.
>
> Oleg
>
>> 2012/06/05 15:13:53:654 WEST [DEBUG] headers -<< Connection: keep-alive
>> 2012/06/05 15:13:53:654 WEST [DEBUG] headers -<< Content-Type:
>> text/html;charset=utf-8
>> 2012/06/05 15:13:53:654 WEST [DEBUG] headers -<< Content-Length: 952
>> 2012/06/05 15:13:53:654 WEST [DEBUG] headers -<< Date: Tue, 05 Jun 2012
>> 14:14:50 GMT
>> 2012/06/05 15:13:53:660 WEST [DEBUG] DefaultHttpClient - Connection can
>> be kept alive indefinitely
>> 2012/06/05 15:13:53:660 WEST [DEBUG] DefaultHttpClient -
>> 172.27.192.171:8080 requested authentication
>> 2012/06/05 15:13:53:661 WEST [DEBUG] TargetAuthenticationStrategy -
>> Authentication schemes in the order of preference: [negotiate, Kerberos,
>> NTLM, Digest, Basic]
>> 2012/06/05 15:13:53:675 WEST [DEBUG] SPNegoScheme - Received challenge
>> '' from the auth server
>> 2012/06/05 15:13:53:676 WEST [DEBUG] TargetAuthenticationStrategy -
>> Challenge for Kerberos authentication scheme not available
>> 2012/06/05 15:13:53:676 WEST [DEBUG] TargetAuthenticationStrategy -
>> Challenge for NTLM authentication scheme not available
>> 2012/06/05 15:13:53:677 WEST [DEBUG] TargetAuthenticationStrategy -
>> Challenge for Digest authentication scheme not available
>> 2012/06/05 15:13:53:677 WEST [DEBUG] TargetAuthenticationStrategy -
>> Challenge for Basic authentication scheme not available
>> 2012/06/05 15:13:53:677 WEST [DEBUG] DefaultHttpClient - Selected
>> authentication options: [NEGOTIATE]
>> 2012/06/05 15:13:53:678 WEST [DEBUG] RequestAddCookies - CookieSpec
>> selected: best-match
>> 2012/06/05 15:13:53:678 WEST [DEBUG] RequestAuthCache - Auth cache not
>> set in the context
>> 2012/06/05 15:13:53:678 WEST [DEBUG] RequestTargetAuthentication -
>> Target auth state: CHALLENGED
>> 2012/06/05 15:13:53:678 WEST [DEBUG] RequestTargetAuthentication -
>> Generating response to an authentication challenge using Negotiate scheme
>> 2012/06/05 15:13:53:679 WEST [DEBUG] SPNegoScheme - init 172.27.192.171:8080
>> 2012/06/05 15:13:53:750 WEST [WARN] RequestTargetAuthentication -
>> NEGOTIATE authentication error: No valid credentials provided (Mechanism
>> level: No valid credentials provided (Mechanism level: Failed to find
>> any Kerberos tgt))
>> 2012/06/05 15:13:53:750 WEST [DEBUG] RequestProxyAuthentication - Proxy
>> auth state: UNCHALLENGED
>> 2012/06/05 15:13:53:750 WEST [DEBUG] DefaultHttpClient - Attempt 2 to
>> execute request
>> 2012/06/05 15:13:53:750 WEST [DEBUG] DefaultClientConnection - Sending
>> request: GET /services/files/ HTTP/1.1
>> 2012/06/05 15:13:53:751 WEST [DEBUG] headers ->> GET /services/files/
>> HTTP/1.1
>> 2012/06/05 15:13:53:751 WEST [DEBUG] headers ->> Host: 172.27.192.171:8080
>> 2012/06/05 15:13:53:751 WEST [DEBUG] headers ->> Connection: Keep-Alive
>> 2012/06/05 15:13:53:751 WEST [DEBUG] headers ->> User-Agent:
>> Apache-HttpClient/4.2 (java 1.5)
>> 2012/06/05 15:13:53:776 WEST [DEBUG] DefaultClientConnection - Receiving
>> response: HTTP/1.1 401 Unauthorized
>> ----------------------------------------
>> HTTP/1.1 401 Unauthorized
>> 2012/06/05 15:13:53:776 WEST [DEBUG] headers -<< HTTP/1.1 401 Unauthorized
>> Response content length: 952
>> 2012/06/05 15:13:53:776 WEST [DEBUG] headers -<< Server: Apache-Coyote/1.1
>> 2012/06/05 15:13:53:776 WEST [DEBUG] headers -<< X-Powered-By:
>> Servlet/3.0; JBossAS-6
>> 2012/06/05 15:13:53:776 WEST [DEBUG] headers -<< WWW-Authenticate:
>> Negotiate
>> 2012/06/05 15:13:53:777 WEST [DEBUG] headers -<< Connection: keep-alive
>> 2012/06/05 15:13:53:777 WEST [DEBUG] headers -<< Content-Type:
>> text/html;charset=utf-8
>> 2012/06/05 15:13:53:777 WEST [DEBUG] headers -<< Content-Length: 952
>> 2012/06/05 15:13:53:777 WEST [DEBUG] headers -<< Date: Tue, 05 Jun 2012
>> 14:14:50 GMT
>> 2012/06/05 15:13:53:777 WEST [DEBUG] DefaultHttpClient - Connection can
>> be kept alive indefinitely
>> 2012/06/05 15:13:53:777 WEST [DEBUG] DefaultHttpClient -
>> 172.27.192.171:8080 requested authentication
>> 2012/06/05 15:13:53:778 WEST [DEBUG] DefaultHttpClient - Authorization
>> challenge processed
>> 2012/06/05 15:13:53:778 WEST [DEBUG] SPNegoScheme - Received challenge
>> '' from the auth server
>> 2012/06/05 15:13:53:778 WEST [DEBUG] SPNegoScheme - Authentication
>> already attempted
>> 2012/06/05 15:13:53:780 WEST [DEBUG] DefaultHttpClient - Authentication
>> failed
>> 2012/06/05 15:13:53:783 WEST [DEBUG] BasicClientConnectionManager -
>> Releasing connection
>> org.apache.http.impl.conn.ManagedClientConnectionImpl@7f565474
>> 2012/06/05 15:13:53:783 WEST [DEBUG] BasicClientConnectionManager -
>> Connection can be kept alive indefinitely
>> 2012/06/05 15:13:53:783 WEST [DEBUG] DefaultClientConnection -
>> Connection 0.0.0.0:43639<->172.27.192.171:8080 closed
>>
>> Kind regards,
>> Pedro Saraiva
>>
>> Em 05-06-2012 15:00, Oleg Kalnichevski escreveu:
>>> On Tue, 2012-06-05 at 11:52 +0100, Pedro Saraiva wrote:
>>>> Hello,
>>>>
>>>> I have a site protected with SPNEGO. The authentication can be performed
>>>> with both Kerberos and NTLMv2.
>>>>
>>>> I'm trying to use HttpClient 4.2 to authenticate against this site
>>>> through NTLMv2 but without success so far. Here's my sample code:
>>>>
>>>> HttpHost targetHost = new HttpHost("172.27.192.171", 8080, "http");
>>>>
>>>> DefaultHttpClient httpclient = new DefaultHttpClient();
>>>>
>>>> try {
>>>> httpclient.getCredentialsProvider().setCredentials(
>>>> new AuthScope(targetHost.getHostName(),
>>>> targetHost.getPort()),
>>>> new NTCredentials("psaraiva", "psaraiva",
>>>> InetAddress.getLocalHost().getHostName(), "DEV"));
>>>> //new UsernamePasswordCredentials("psaraiva",
>>>> "psaraiva" ));
>>>>
>>>> // Create AuthCache instance
>>>> AuthCache authCache = new BasicAuthCache();
>>>> // Generate BASIC scheme object and add it to the local
>>>> // auth cache
>>>> BasicScheme basicAuth = new BasicScheme();
>>>> authCache.put(targetHost, basicAuth);
>>>>
>>>> // Add AuthCache to the execution context
>>>> BasicHttpContext localcontext = new BasicHttpContext();
>>>> localcontext.setAttribute(ClientContext.AUTH_CACHE, authCache);
>>>>
>>>> HttpGet httpget = new HttpGet("/services/files/");
>>>>
>>>> System.out.println("executing request: " +
>>>> httpget.getRequestLine());
>>>> System.out.println("to target: " + targetHost);
>>>>
>>>> HttpResponse response = httpclient.execute(targetHost,
>>>> httpget);//, localcontext);
>>>> HttpEntity entity = response.getEntity();
>>>>
>>>>
>>>> System.out.println("----------------------------------------");
>>>> System.out.println(response.getStatusLine());
>>>> if (entity != null) {
>>>> System.out.println("Response content length: " +
>>>> entity.getContentLength());
>>>> }
>>>> EntityUtils.consume(entity);
>>>>
>>>> } finally {
>>>> // When HttpClient instance is no longer needed,
>>>> // shut down the connection manager to ensure
>>>> // immediate deallocation of all system resources
>>>> httpclient.getConnectionManager().shutdown();
>>>> }
>>>>
>>>> HttpClient seems to only try the Kerberos authentication and outputs the
>>>> following warning:
>>>> WARN [main] (RequestAuthenticationBase.java:88) - NEGOTIATE
>>>> authentication error: No valid credentials provided (Mechanism level: No
>>>> valid credentials provided (Mechanism level: Failed to find any Kerberos
>>>> tgt))
>>>>
>>>> However, I want it to force it to use NTLMv2. From the HttpClient NTLM
>>>> auth page it states that NTLMv2 is supported since version 4.1.
>>>>
>>>> Does HttpClient 4.2 support NTLMv2 over SPNEGO? Or it's my bad
>>>> configuration that's causing it not to use NTLMv2?
>>>>
>>>> Kind regards,
>>>>
>>>> Pedro Saraiva
>>>>
>>> Hi Pedro
>>>
>>> Generally SPNEGO takes precedence over NTLM per default but HttpClient
>>> 4.2 should have automatically attempted to authenticate with NTLM after
>>> SPNEGO failure.
>>>
>>> Could you please post a complete wire log of the HTTP session?
>>>
>>> http://hc.apache.org/httpcomponents-client-ga/logging.html
>>>
>>> Oleg
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
>>> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
>> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
Re: SPNEGO and NTLMv2
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Tue, 2012-06-05 at 15:19 +0100, Pedro Saraiva wrote:
> Hi Oleg,
>
> Here's the session log from the code I posted earlier:
>
> executing request: GET /services/files/ HTTP/1.1
> to target: http://172.27.192.171:8080
> 2012/06/05 15:13:53:580 WEST [DEBUG] BasicClientConnectionManager - Get
> connection for route {}->http://172.27.192.171:8080
> 2012/06/05 15:13:53:604 WEST [DEBUG] DefaultClientConnectionOperator -
> Connecting to 172.27.192.171:8080
> 2012/06/05 15:13:53:625 WEST [DEBUG] RequestAddCookies - CookieSpec
> selected: best-match
> 2012/06/05 15:13:53:643 WEST [DEBUG] RequestAuthCache - Auth cache not
> set in the context
> 2012/06/05 15:13:53:644 WEST [DEBUG] RequestTargetAuthentication -
> Target auth state: UNCHALLENGED
> 2012/06/05 15:13:53:644 WEST [DEBUG] RequestProxyAuthentication - Proxy
> auth state: UNCHALLENGED
> 2012/06/05 15:13:53:644 WEST [DEBUG] DefaultHttpClient - Attempt 1 to
> execute request
> 2012/06/05 15:13:53:645 WEST [DEBUG] DefaultClientConnection - Sending
> request: GET /services/files/ HTTP/1.1
> 2012/06/05 15:13:53:646 WEST [DEBUG] headers - >> GET /services/files/
> HTTP/1.1
> 2012/06/05 15:13:53:646 WEST [DEBUG] headers - >> Host: 172.27.192.171:8080
> 2012/06/05 15:13:53:646 WEST [DEBUG] headers - >> Connection: Keep-Alive
> 2012/06/05 15:13:53:646 WEST [DEBUG] headers - >> User-Agent:
> Apache-HttpClient/4.2 (java 1.5)
> 2012/06/05 15:13:53:653 WEST [DEBUG] DefaultClientConnection - Receiving
> response: HTTP/1.1 401 Unauthorized
> 2012/06/05 15:13:53:653 WEST [DEBUG] headers - << HTTP/1.1 401 Unauthorized
> 2012/06/05 15:13:53:653 WEST [DEBUG] headers - << Server: Apache-Coyote/1.1
> 2012/06/05 15:13:53:654 WEST [DEBUG] headers - << X-Powered-By:
> Servlet/3.0; JBossAS-6
> 2012/06/05 15:13:53:654 WEST [DEBUG] headers - << WWW-Authenticate:
> Negotiate
Well, as you can see the server has been configured to support SPNEGO
only. NTLM is not include in the authentication challenge as a supported
option.
Oleg
> 2012/06/05 15:13:53:654 WEST [DEBUG] headers - << Connection: keep-alive
> 2012/06/05 15:13:53:654 WEST [DEBUG] headers - << Content-Type:
> text/html;charset=utf-8
> 2012/06/05 15:13:53:654 WEST [DEBUG] headers - << Content-Length: 952
> 2012/06/05 15:13:53:654 WEST [DEBUG] headers - << Date: Tue, 05 Jun 2012
> 14:14:50 GMT
> 2012/06/05 15:13:53:660 WEST [DEBUG] DefaultHttpClient - Connection can
> be kept alive indefinitely
> 2012/06/05 15:13:53:660 WEST [DEBUG] DefaultHttpClient -
> 172.27.192.171:8080 requested authentication
> 2012/06/05 15:13:53:661 WEST [DEBUG] TargetAuthenticationStrategy -
> Authentication schemes in the order of preference: [negotiate, Kerberos,
> NTLM, Digest, Basic]
> 2012/06/05 15:13:53:675 WEST [DEBUG] SPNegoScheme - Received challenge
> '' from the auth server
> 2012/06/05 15:13:53:676 WEST [DEBUG] TargetAuthenticationStrategy -
> Challenge for Kerberos authentication scheme not available
> 2012/06/05 15:13:53:676 WEST [DEBUG] TargetAuthenticationStrategy -
> Challenge for NTLM authentication scheme not available
> 2012/06/05 15:13:53:677 WEST [DEBUG] TargetAuthenticationStrategy -
> Challenge for Digest authentication scheme not available
> 2012/06/05 15:13:53:677 WEST [DEBUG] TargetAuthenticationStrategy -
> Challenge for Basic authentication scheme not available
> 2012/06/05 15:13:53:677 WEST [DEBUG] DefaultHttpClient - Selected
> authentication options: [NEGOTIATE]
> 2012/06/05 15:13:53:678 WEST [DEBUG] RequestAddCookies - CookieSpec
> selected: best-match
> 2012/06/05 15:13:53:678 WEST [DEBUG] RequestAuthCache - Auth cache not
> set in the context
> 2012/06/05 15:13:53:678 WEST [DEBUG] RequestTargetAuthentication -
> Target auth state: CHALLENGED
> 2012/06/05 15:13:53:678 WEST [DEBUG] RequestTargetAuthentication -
> Generating response to an authentication challenge using Negotiate scheme
> 2012/06/05 15:13:53:679 WEST [DEBUG] SPNegoScheme - init 172.27.192.171:8080
> 2012/06/05 15:13:53:750 WEST [WARN] RequestTargetAuthentication -
> NEGOTIATE authentication error: No valid credentials provided (Mechanism
> level: No valid credentials provided (Mechanism level: Failed to find
> any Kerberos tgt))
> 2012/06/05 15:13:53:750 WEST [DEBUG] RequestProxyAuthentication - Proxy
> auth state: UNCHALLENGED
> 2012/06/05 15:13:53:750 WEST [DEBUG] DefaultHttpClient - Attempt 2 to
> execute request
> 2012/06/05 15:13:53:750 WEST [DEBUG] DefaultClientConnection - Sending
> request: GET /services/files/ HTTP/1.1
> 2012/06/05 15:13:53:751 WEST [DEBUG] headers - >> GET /services/files/
> HTTP/1.1
> 2012/06/05 15:13:53:751 WEST [DEBUG] headers - >> Host: 172.27.192.171:8080
> 2012/06/05 15:13:53:751 WEST [DEBUG] headers - >> Connection: Keep-Alive
> 2012/06/05 15:13:53:751 WEST [DEBUG] headers - >> User-Agent:
> Apache-HttpClient/4.2 (java 1.5)
> 2012/06/05 15:13:53:776 WEST [DEBUG] DefaultClientConnection - Receiving
> response: HTTP/1.1 401 Unauthorized
> ----------------------------------------
> HTTP/1.1 401 Unauthorized
> 2012/06/05 15:13:53:776 WEST [DEBUG] headers - << HTTP/1.1 401 Unauthorized
> Response content length: 952
> 2012/06/05 15:13:53:776 WEST [DEBUG] headers - << Server: Apache-Coyote/1.1
> 2012/06/05 15:13:53:776 WEST [DEBUG] headers - << X-Powered-By:
> Servlet/3.0; JBossAS-6
> 2012/06/05 15:13:53:776 WEST [DEBUG] headers - << WWW-Authenticate:
> Negotiate
> 2012/06/05 15:13:53:777 WEST [DEBUG] headers - << Connection: keep-alive
> 2012/06/05 15:13:53:777 WEST [DEBUG] headers - << Content-Type:
> text/html;charset=utf-8
> 2012/06/05 15:13:53:777 WEST [DEBUG] headers - << Content-Length: 952
> 2012/06/05 15:13:53:777 WEST [DEBUG] headers - << Date: Tue, 05 Jun 2012
> 14:14:50 GMT
> 2012/06/05 15:13:53:777 WEST [DEBUG] DefaultHttpClient - Connection can
> be kept alive indefinitely
> 2012/06/05 15:13:53:777 WEST [DEBUG] DefaultHttpClient -
> 172.27.192.171:8080 requested authentication
> 2012/06/05 15:13:53:778 WEST [DEBUG] DefaultHttpClient - Authorization
> challenge processed
> 2012/06/05 15:13:53:778 WEST [DEBUG] SPNegoScheme - Received challenge
> '' from the auth server
> 2012/06/05 15:13:53:778 WEST [DEBUG] SPNegoScheme - Authentication
> already attempted
> 2012/06/05 15:13:53:780 WEST [DEBUG] DefaultHttpClient - Authentication
> failed
> 2012/06/05 15:13:53:783 WEST [DEBUG] BasicClientConnectionManager -
> Releasing connection
> org.apache.http.impl.conn.ManagedClientConnectionImpl@7f565474
> 2012/06/05 15:13:53:783 WEST [DEBUG] BasicClientConnectionManager -
> Connection can be kept alive indefinitely
> 2012/06/05 15:13:53:783 WEST [DEBUG] DefaultClientConnection -
> Connection 0.0.0.0:43639<->172.27.192.171:8080 closed
>
> Kind regards,
> Pedro Saraiva
>
> Em 05-06-2012 15:00, Oleg Kalnichevski escreveu:
> > On Tue, 2012-06-05 at 11:52 +0100, Pedro Saraiva wrote:
> >> Hello,
> >>
> >> I have a site protected with SPNEGO. The authentication can be performed
> >> with both Kerberos and NTLMv2.
> >>
> >> I'm trying to use HttpClient 4.2 to authenticate against this site
> >> through NTLMv2 but without success so far. Here's my sample code:
> >>
> >> HttpHost targetHost = new HttpHost("172.27.192.171", 8080, "http");
> >>
> >> DefaultHttpClient httpclient = new DefaultHttpClient();
> >>
> >> try {
> >> httpclient.getCredentialsProvider().setCredentials(
> >> new AuthScope(targetHost.getHostName(),
> >> targetHost.getPort()),
> >> new NTCredentials("psaraiva", "psaraiva",
> >> InetAddress.getLocalHost().getHostName(), "DEV"));
> >> //new UsernamePasswordCredentials("psaraiva",
> >> "psaraiva" ));
> >>
> >> // Create AuthCache instance
> >> AuthCache authCache = new BasicAuthCache();
> >> // Generate BASIC scheme object and add it to the local
> >> // auth cache
> >> BasicScheme basicAuth = new BasicScheme();
> >> authCache.put(targetHost, basicAuth);
> >>
> >> // Add AuthCache to the execution context
> >> BasicHttpContext localcontext = new BasicHttpContext();
> >> localcontext.setAttribute(ClientContext.AUTH_CACHE, authCache);
> >>
> >> HttpGet httpget = new HttpGet("/services/files/");
> >>
> >> System.out.println("executing request: " +
> >> httpget.getRequestLine());
> >> System.out.println("to target: " + targetHost);
> >>
> >> HttpResponse response = httpclient.execute(targetHost,
> >> httpget);//, localcontext);
> >> HttpEntity entity = response.getEntity();
> >>
> >>
> >> System.out.println("----------------------------------------");
> >> System.out.println(response.getStatusLine());
> >> if (entity != null) {
> >> System.out.println("Response content length: " +
> >> entity.getContentLength());
> >> }
> >> EntityUtils.consume(entity);
> >>
> >> } finally {
> >> // When HttpClient instance is no longer needed,
> >> // shut down the connection manager to ensure
> >> // immediate deallocation of all system resources
> >> httpclient.getConnectionManager().shutdown();
> >> }
> >>
> >> HttpClient seems to only try the Kerberos authentication and outputs the
> >> following warning:
> >> WARN [main] (RequestAuthenticationBase.java:88) - NEGOTIATE
> >> authentication error: No valid credentials provided (Mechanism level: No
> >> valid credentials provided (Mechanism level: Failed to find any Kerberos
> >> tgt))
> >>
> >> However, I want it to force it to use NTLMv2. From the HttpClient NTLM
> >> auth page it states that NTLMv2 is supported since version 4.1.
> >>
> >> Does HttpClient 4.2 support NTLMv2 over SPNEGO? Or it's my bad
> >> configuration that's causing it not to use NTLMv2?
> >>
> >> Kind regards,
> >>
> >> Pedro Saraiva
> >>
> > Hi Pedro
> >
> > Generally SPNEGO takes precedence over NTLM per default but HttpClient
> > 4.2 should have automatically attempted to authenticate with NTLM after
> > SPNEGO failure.
> >
> > Could you please post a complete wire log of the HTTP session?
> >
> > http://hc.apache.org/httpcomponents-client-ga/logging.html
> >
> > Oleg
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: SPNEGO and NTLMv2
Posted by Pedro Saraiva <ps...@maisis.pt>.
Hi Oleg,
Here's the session log from the code I posted earlier:
executing request: GET /services/files/ HTTP/1.1
to target: http://172.27.192.171:8080
2012/06/05 15:13:53:580 WEST [DEBUG] BasicClientConnectionManager - Get
connection for route {}->http://172.27.192.171:8080
2012/06/05 15:13:53:604 WEST [DEBUG] DefaultClientConnectionOperator -
Connecting to 172.27.192.171:8080
2012/06/05 15:13:53:625 WEST [DEBUG] RequestAddCookies - CookieSpec
selected: best-match
2012/06/05 15:13:53:643 WEST [DEBUG] RequestAuthCache - Auth cache not
set in the context
2012/06/05 15:13:53:644 WEST [DEBUG] RequestTargetAuthentication -
Target auth state: UNCHALLENGED
2012/06/05 15:13:53:644 WEST [DEBUG] RequestProxyAuthentication - Proxy
auth state: UNCHALLENGED
2012/06/05 15:13:53:644 WEST [DEBUG] DefaultHttpClient - Attempt 1 to
execute request
2012/06/05 15:13:53:645 WEST [DEBUG] DefaultClientConnection - Sending
request: GET /services/files/ HTTP/1.1
2012/06/05 15:13:53:646 WEST [DEBUG] headers - >> GET /services/files/
HTTP/1.1
2012/06/05 15:13:53:646 WEST [DEBUG] headers - >> Host: 172.27.192.171:8080
2012/06/05 15:13:53:646 WEST [DEBUG] headers - >> Connection: Keep-Alive
2012/06/05 15:13:53:646 WEST [DEBUG] headers - >> User-Agent:
Apache-HttpClient/4.2 (java 1.5)
2012/06/05 15:13:53:653 WEST [DEBUG] DefaultClientConnection - Receiving
response: HTTP/1.1 401 Unauthorized
2012/06/05 15:13:53:653 WEST [DEBUG] headers - << HTTP/1.1 401 Unauthorized
2012/06/05 15:13:53:653 WEST [DEBUG] headers - << Server: Apache-Coyote/1.1
2012/06/05 15:13:53:654 WEST [DEBUG] headers - << X-Powered-By:
Servlet/3.0; JBossAS-6
2012/06/05 15:13:53:654 WEST [DEBUG] headers - << WWW-Authenticate:
Negotiate
2012/06/05 15:13:53:654 WEST [DEBUG] headers - << Connection: keep-alive
2012/06/05 15:13:53:654 WEST [DEBUG] headers - << Content-Type:
text/html;charset=utf-8
2012/06/05 15:13:53:654 WEST [DEBUG] headers - << Content-Length: 952
2012/06/05 15:13:53:654 WEST [DEBUG] headers - << Date: Tue, 05 Jun 2012
14:14:50 GMT
2012/06/05 15:13:53:660 WEST [DEBUG] DefaultHttpClient - Connection can
be kept alive indefinitely
2012/06/05 15:13:53:660 WEST [DEBUG] DefaultHttpClient -
172.27.192.171:8080 requested authentication
2012/06/05 15:13:53:661 WEST [DEBUG] TargetAuthenticationStrategy -
Authentication schemes in the order of preference: [negotiate, Kerberos,
NTLM, Digest, Basic]
2012/06/05 15:13:53:675 WEST [DEBUG] SPNegoScheme - Received challenge
'' from the auth server
2012/06/05 15:13:53:676 WEST [DEBUG] TargetAuthenticationStrategy -
Challenge for Kerberos authentication scheme not available
2012/06/05 15:13:53:676 WEST [DEBUG] TargetAuthenticationStrategy -
Challenge for NTLM authentication scheme not available
2012/06/05 15:13:53:677 WEST [DEBUG] TargetAuthenticationStrategy -
Challenge for Digest authentication scheme not available
2012/06/05 15:13:53:677 WEST [DEBUG] TargetAuthenticationStrategy -
Challenge for Basic authentication scheme not available
2012/06/05 15:13:53:677 WEST [DEBUG] DefaultHttpClient - Selected
authentication options: [NEGOTIATE]
2012/06/05 15:13:53:678 WEST [DEBUG] RequestAddCookies - CookieSpec
selected: best-match
2012/06/05 15:13:53:678 WEST [DEBUG] RequestAuthCache - Auth cache not
set in the context
2012/06/05 15:13:53:678 WEST [DEBUG] RequestTargetAuthentication -
Target auth state: CHALLENGED
2012/06/05 15:13:53:678 WEST [DEBUG] RequestTargetAuthentication -
Generating response to an authentication challenge using Negotiate scheme
2012/06/05 15:13:53:679 WEST [DEBUG] SPNegoScheme - init 172.27.192.171:8080
2012/06/05 15:13:53:750 WEST [WARN] RequestTargetAuthentication -
NEGOTIATE authentication error: No valid credentials provided (Mechanism
level: No valid credentials provided (Mechanism level: Failed to find
any Kerberos tgt))
2012/06/05 15:13:53:750 WEST [DEBUG] RequestProxyAuthentication - Proxy
auth state: UNCHALLENGED
2012/06/05 15:13:53:750 WEST [DEBUG] DefaultHttpClient - Attempt 2 to
execute request
2012/06/05 15:13:53:750 WEST [DEBUG] DefaultClientConnection - Sending
request: GET /services/files/ HTTP/1.1
2012/06/05 15:13:53:751 WEST [DEBUG] headers - >> GET /services/files/
HTTP/1.1
2012/06/05 15:13:53:751 WEST [DEBUG] headers - >> Host: 172.27.192.171:8080
2012/06/05 15:13:53:751 WEST [DEBUG] headers - >> Connection: Keep-Alive
2012/06/05 15:13:53:751 WEST [DEBUG] headers - >> User-Agent:
Apache-HttpClient/4.2 (java 1.5)
2012/06/05 15:13:53:776 WEST [DEBUG] DefaultClientConnection - Receiving
response: HTTP/1.1 401 Unauthorized
----------------------------------------
HTTP/1.1 401 Unauthorized
2012/06/05 15:13:53:776 WEST [DEBUG] headers - << HTTP/1.1 401 Unauthorized
Response content length: 952
2012/06/05 15:13:53:776 WEST [DEBUG] headers - << Server: Apache-Coyote/1.1
2012/06/05 15:13:53:776 WEST [DEBUG] headers - << X-Powered-By:
Servlet/3.0; JBossAS-6
2012/06/05 15:13:53:776 WEST [DEBUG] headers - << WWW-Authenticate:
Negotiate
2012/06/05 15:13:53:777 WEST [DEBUG] headers - << Connection: keep-alive
2012/06/05 15:13:53:777 WEST [DEBUG] headers - << Content-Type:
text/html;charset=utf-8
2012/06/05 15:13:53:777 WEST [DEBUG] headers - << Content-Length: 952
2012/06/05 15:13:53:777 WEST [DEBUG] headers - << Date: Tue, 05 Jun 2012
14:14:50 GMT
2012/06/05 15:13:53:777 WEST [DEBUG] DefaultHttpClient - Connection can
be kept alive indefinitely
2012/06/05 15:13:53:777 WEST [DEBUG] DefaultHttpClient -
172.27.192.171:8080 requested authentication
2012/06/05 15:13:53:778 WEST [DEBUG] DefaultHttpClient - Authorization
challenge processed
2012/06/05 15:13:53:778 WEST [DEBUG] SPNegoScheme - Received challenge
'' from the auth server
2012/06/05 15:13:53:778 WEST [DEBUG] SPNegoScheme - Authentication
already attempted
2012/06/05 15:13:53:780 WEST [DEBUG] DefaultHttpClient - Authentication
failed
2012/06/05 15:13:53:783 WEST [DEBUG] BasicClientConnectionManager -
Releasing connection
org.apache.http.impl.conn.ManagedClientConnectionImpl@7f565474
2012/06/05 15:13:53:783 WEST [DEBUG] BasicClientConnectionManager -
Connection can be kept alive indefinitely
2012/06/05 15:13:53:783 WEST [DEBUG] DefaultClientConnection -
Connection 0.0.0.0:43639<->172.27.192.171:8080 closed
Kind regards,
Pedro Saraiva
Em 05-06-2012 15:00, Oleg Kalnichevski escreveu:
> On Tue, 2012-06-05 at 11:52 +0100, Pedro Saraiva wrote:
>> Hello,
>>
>> I have a site protected with SPNEGO. The authentication can be performed
>> with both Kerberos and NTLMv2.
>>
>> I'm trying to use HttpClient 4.2 to authenticate against this site
>> through NTLMv2 but without success so far. Here's my sample code:
>>
>> HttpHost targetHost = new HttpHost("172.27.192.171", 8080, "http");
>>
>> DefaultHttpClient httpclient = new DefaultHttpClient();
>>
>> try {
>> httpclient.getCredentialsProvider().setCredentials(
>> new AuthScope(targetHost.getHostName(),
>> targetHost.getPort()),
>> new NTCredentials("psaraiva", "psaraiva",
>> InetAddress.getLocalHost().getHostName(), "DEV"));
>> //new UsernamePasswordCredentials("psaraiva",
>> "psaraiva" ));
>>
>> // Create AuthCache instance
>> AuthCache authCache = new BasicAuthCache();
>> // Generate BASIC scheme object and add it to the local
>> // auth cache
>> BasicScheme basicAuth = new BasicScheme();
>> authCache.put(targetHost, basicAuth);
>>
>> // Add AuthCache to the execution context
>> BasicHttpContext localcontext = new BasicHttpContext();
>> localcontext.setAttribute(ClientContext.AUTH_CACHE, authCache);
>>
>> HttpGet httpget = new HttpGet("/services/files/");
>>
>> System.out.println("executing request: " +
>> httpget.getRequestLine());
>> System.out.println("to target: " + targetHost);
>>
>> HttpResponse response = httpclient.execute(targetHost,
>> httpget);//, localcontext);
>> HttpEntity entity = response.getEntity();
>>
>>
>> System.out.println("----------------------------------------");
>> System.out.println(response.getStatusLine());
>> if (entity != null) {
>> System.out.println("Response content length: " +
>> entity.getContentLength());
>> }
>> EntityUtils.consume(entity);
>>
>> } finally {
>> // When HttpClient instance is no longer needed,
>> // shut down the connection manager to ensure
>> // immediate deallocation of all system resources
>> httpclient.getConnectionManager().shutdown();
>> }
>>
>> HttpClient seems to only try the Kerberos authentication and outputs the
>> following warning:
>> WARN [main] (RequestAuthenticationBase.java:88) - NEGOTIATE
>> authentication error: No valid credentials provided (Mechanism level: No
>> valid credentials provided (Mechanism level: Failed to find any Kerberos
>> tgt))
>>
>> However, I want it to force it to use NTLMv2. From the HttpClient NTLM
>> auth page it states that NTLMv2 is supported since version 4.1.
>>
>> Does HttpClient 4.2 support NTLMv2 over SPNEGO? Or it's my bad
>> configuration that's causing it not to use NTLMv2?
>>
>> Kind regards,
>>
>> Pedro Saraiva
>>
> Hi Pedro
>
> Generally SPNEGO takes precedence over NTLM per default but HttpClient
> 4.2 should have automatically attempted to authenticate with NTLM after
> SPNEGO failure.
>
> Could you please post a complete wire log of the HTTP session?
>
> http://hc.apache.org/httpcomponents-client-ga/logging.html
>
> Oleg
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: SPNEGO and NTLMv2
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Tue, 2012-06-05 at 11:52 +0100, Pedro Saraiva wrote:
> Hello,
>
> I have a site protected with SPNEGO. The authentication can be performed
> with both Kerberos and NTLMv2.
>
> I'm trying to use HttpClient 4.2 to authenticate against this site
> through NTLMv2 but without success so far. Here's my sample code:
>
> HttpHost targetHost = new HttpHost("172.27.192.171", 8080, "http");
>
> DefaultHttpClient httpclient = new DefaultHttpClient();
>
> try {
> httpclient.getCredentialsProvider().setCredentials(
> new AuthScope(targetHost.getHostName(),
> targetHost.getPort()),
> new NTCredentials("psaraiva", "psaraiva",
> InetAddress.getLocalHost().getHostName(), "DEV"));
> //new UsernamePasswordCredentials("psaraiva",
> "psaraiva" ));
>
> // Create AuthCache instance
> AuthCache authCache = new BasicAuthCache();
> // Generate BASIC scheme object and add it to the local
> // auth cache
> BasicScheme basicAuth = new BasicScheme();
> authCache.put(targetHost, basicAuth);
>
> // Add AuthCache to the execution context
> BasicHttpContext localcontext = new BasicHttpContext();
> localcontext.setAttribute(ClientContext.AUTH_CACHE, authCache);
>
> HttpGet httpget = new HttpGet("/services/files/");
>
> System.out.println("executing request: " +
> httpget.getRequestLine());
> System.out.println("to target: " + targetHost);
>
> HttpResponse response = httpclient.execute(targetHost,
> httpget);//, localcontext);
> HttpEntity entity = response.getEntity();
>
>
> System.out.println("----------------------------------------");
> System.out.println(response.getStatusLine());
> if (entity != null) {
> System.out.println("Response content length: " +
> entity.getContentLength());
> }
> EntityUtils.consume(entity);
>
> } finally {
> // When HttpClient instance is no longer needed,
> // shut down the connection manager to ensure
> // immediate deallocation of all system resources
> httpclient.getConnectionManager().shutdown();
> }
>
> HttpClient seems to only try the Kerberos authentication and outputs the
> following warning:
> WARN [main] (RequestAuthenticationBase.java:88) - NEGOTIATE
> authentication error: No valid credentials provided (Mechanism level: No
> valid credentials provided (Mechanism level: Failed to find any Kerberos
> tgt))
>
> However, I want it to force it to use NTLMv2. From the HttpClient NTLM
> auth page it states that NTLMv2 is supported since version 4.1.
>
> Does HttpClient 4.2 support NTLMv2 over SPNEGO? Or it's my bad
> configuration that's causing it not to use NTLMv2?
>
> Kind regards,
>
> Pedro Saraiva
>
Hi Pedro
Generally SPNEGO takes precedence over NTLM per default but HttpClient
4.2 should have automatically attempted to authenticate with NTLM after
SPNEGO failure.
Could you please post a complete wire log of the HTTP session?
http://hc.apache.org/httpcomponents-client-ga/logging.html
Oleg
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org