You are viewing a plain text version of this content. The canonical link for it is here.
Posted to httpclient-users@hc.apache.org by Jeff Ling <je...@google.com> on 2006/11/01 17:51:59 UTC
ntlm issues 2 - Unknown user name or bad password
Hi guys,
This is an even strangier problem that I've been struggling with. I am using
Axis2 to call MS Sharepoint web services. At most customers, it works well.
However, at this one customer, the authentication just fails with the event
log message on the web server says: "Unknown user name or bad password" Of
course, the first possibility was invalid user name/password as the error
message suggested. But I tried many different variations. And I've written a
.Net client to try it with the same credential, it works. Of course, it
could be using NTLMv2 instead. So I tried another application that only
supports NTLMv1 (it's a C++ implementation), and it also works! I also
turned on wire trace. I know the host doesn't not enforce NTLMv2.
The next thing I did was getting all the Axis2 source code, and then all the
httpclient souce code down. I put in more trace, and saw the type 1 -> type
2 -> type 3 message handshaking. I even printed out the user name, password,
host, domain, and everything seems correct. But After the type 3 message was
sent to the server, the server returns 401. The only thing I didn't do is to
analyze the NTLM messages because I don't know how to validate them!
The client is running on the same machine as the web server. The user
account is a local account (not a domain account), JDK is 1.4.x,and
httpclient is 3.0.1. On the server, it says:
Logon Failure:
Reason: Unknown user name or bad password
User Name: SHAREPOINTADMIN
Domain: ITDSPDEV
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: ITDSPDEV.COJ.NET
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 161.243.4.71
Source Port: 2009
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: SHAREPOINTADMIN
Source Workstation: ITDSPDEV.COJ.NET
Error Code: 0xC000006A
Any suggestions? What else can I do?
Thanks,
Jeff
Re: ntlm issues 2 - Unknown user name or bad password
Posted by Jeff Ling <je...@google.com>.
Thanks!
On 11/1/06, Oleg Kalnichevski <ol...@apache.org> wrote:
>
> On Wed, 2006-11-01 at 09:39 -0800, Jeff Ling wrote:
> > Hi Oleg,
> >
> > I might give it a try.
> >
> > Does it mean I need to use "custom auth scheme"?
>
> All you have to do is to register your custom auth scheme instead of the
> stock one and HttpClient will automatically pick it up
>
> Oleg
>
>
> >
> > Thanks,
> > Jeff
> >
> > On 11/1/06, Oleg Kalnichevski <ol...@apache.org> wrote:
> > >
> > > On Wed, 2006-11-01 at 08:51 -0800, Jeff Ling wrote:
> > > > Hi guys,
> > > >
> > > > This is an even strangier problem that I've been struggling with. I
> am
> > > using
> > > > Axis2 to call MS Sharepoint web services. At most customers, it
> works
> > > well.
> > > > However, at this one customer, the authentication just fails with
> the
> > > event
> > > > log message on the web server says: "Unknown user name or bad
> > > password" Of
> > > > course, the first possibility was invalid user name/password as the
> > > error
> > > > message suggested. But I tried many different variations. And I've
> > > written a
> > > > .Net client to try it with the same credential, it works. Of course,
> it
> > > > could be using NTLMv2 instead. So I tried another application that
> only
> > > > supports NTLMv1 (it's a C++ implementation), and it also works! I
> also
> > > > turned on wire trace. I know the host doesn't not enforce NTLMv2.
> > > >
> > > > The next thing I did was getting all the Axis2 source code, and then
> all
> > > the
> > > > httpclient souce code down. I put in more trace, and saw the type 1
> ->
> > > type
> > > > 2 -> type 3 message handshaking. I even printed out the user name,
> > > password,
> > > > host, domain, and everything seems correct. But After the type 3
> message
> > > was
> > > > sent to the server, the server returns 401. The only thing I didn't
> do
> > > is to
> > > > analyze the NTLM messages because I don't know how to validate them!
> > > >
> > > > The client is running on the same machine as the web server. The
> user
> > > > account is a local account (not a domain account), JDK is 1.4.x,and
> > > > httpclient is 3.0.1. On the server, it says:
> > > >
> > > > Logon Failure:
> > > > Reason: Unknown user name or bad password
> > > > User Name: SHAREPOINTADMIN
> > > > Domain: ITDSPDEV
> > > > Logon Type: 3
> > > > Logon Process: NtLmSsp
> > > > Authentication Package: NTLM
> > > > Workstation Name: ITDSPDEV.COJ.NET
> > > > Caller User Name: -
> > > > Caller Domain: -
> > > > Caller Logon ID: -
> > > > Caller Process ID: -
> > > > Transited Services: -
> > > > Source Network Address: 161.243.4.71
> > > > Source Port: 2009
> > > >
> > > >
> > > > Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> > > > Logon account: SHAREPOINTADMIN
> > > > Source Workstation: ITDSPDEV.COJ.NET
> > > > Error Code: 0xC000006A
> > > >
> > > >
> > > >
> > > > Any suggestions? What else can I do?
> > > >
> > > > Thanks,
> > > > Jeff
> > >
> > > Jeff,
> > >
> > > It is plausible that HttpClient's low level NTLM code is simply buggy.
> > > None of the current HttpClient committers is very knowledgeable about
> > > NTLM and its inner working. Moreover, none of us seems interested in
> > > getting more involved with the subject.
> > >
> > > Our long term plan is to have our home brewed code replaced with
> JCIFS,
> > > the library is being developed and maintained by the Samba project.
> > >
> > > The analysis of the problem you gave above suggests you already know
> > > more about the subject than any of us. If you have enough incentive
> and
> > > determination to 'scratch your own itch', you may want to consider
> > > developing an AuthScheme based on JCIFS. Besides, this would be a
> major
> > > and a very welcome contribution to the project.
> > >
> > > For more details on the subject please refer to this resource:
> > >
> > > http://wiki.apache.org/jakarta-httpclient/FrequentlyAskedNTLMQuestions
> > >
> > > Cheers,
> > >
> > > Oleg
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail:
> httpclient-user-help@jakarta.apache.org
> > >
> > >
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
>
>
--
Jeff Ling
Product Solutions Engineer
GOOGLE
Office: (650) 253-3095
Fax: (650) 618-1835
Email: jeffling@google.com
Re: ntlm issues 2 - Unknown user name or bad password
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Wed, 2006-11-01 at 09:39 -0800, Jeff Ling wrote:
> Hi Oleg,
>
> I might give it a try.
>
> Does it mean I need to use "custom auth scheme"?
All you have to do is to register your custom auth scheme instead of the
stock one and HttpClient will automatically pick it up
Oleg
>
> Thanks,
> Jeff
>
> On 11/1/06, Oleg Kalnichevski <ol...@apache.org> wrote:
> >
> > On Wed, 2006-11-01 at 08:51 -0800, Jeff Ling wrote:
> > > Hi guys,
> > >
> > > This is an even strangier problem that I've been struggling with. I am
> > using
> > > Axis2 to call MS Sharepoint web services. At most customers, it works
> > well.
> > > However, at this one customer, the authentication just fails with the
> > event
> > > log message on the web server says: "Unknown user name or bad
> > password" Of
> > > course, the first possibility was invalid user name/password as the
> > error
> > > message suggested. But I tried many different variations. And I've
> > written a
> > > .Net client to try it with the same credential, it works. Of course, it
> > > could be using NTLMv2 instead. So I tried another application that only
> > > supports NTLMv1 (it's a C++ implementation), and it also works! I also
> > > turned on wire trace. I know the host doesn't not enforce NTLMv2.
> > >
> > > The next thing I did was getting all the Axis2 source code, and then all
> > the
> > > httpclient souce code down. I put in more trace, and saw the type 1 ->
> > type
> > > 2 -> type 3 message handshaking. I even printed out the user name,
> > password,
> > > host, domain, and everything seems correct. But After the type 3 message
> > was
> > > sent to the server, the server returns 401. The only thing I didn't do
> > is to
> > > analyze the NTLM messages because I don't know how to validate them!
> > >
> > > The client is running on the same machine as the web server. The user
> > > account is a local account (not a domain account), JDK is 1.4.x,and
> > > httpclient is 3.0.1. On the server, it says:
> > >
> > > Logon Failure:
> > > Reason: Unknown user name or bad password
> > > User Name: SHAREPOINTADMIN
> > > Domain: ITDSPDEV
> > > Logon Type: 3
> > > Logon Process: NtLmSsp
> > > Authentication Package: NTLM
> > > Workstation Name: ITDSPDEV.COJ.NET
> > > Caller User Name: -
> > > Caller Domain: -
> > > Caller Logon ID: -
> > > Caller Process ID: -
> > > Transited Services: -
> > > Source Network Address: 161.243.4.71
> > > Source Port: 2009
> > >
> > >
> > > Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> > > Logon account: SHAREPOINTADMIN
> > > Source Workstation: ITDSPDEV.COJ.NET
> > > Error Code: 0xC000006A
> > >
> > >
> > >
> > > Any suggestions? What else can I do?
> > >
> > > Thanks,
> > > Jeff
> >
> > Jeff,
> >
> > It is plausible that HttpClient's low level NTLM code is simply buggy.
> > None of the current HttpClient committers is very knowledgeable about
> > NTLM and its inner working. Moreover, none of us seems interested in
> > getting more involved with the subject.
> >
> > Our long term plan is to have our home brewed code replaced with JCIFS,
> > the library is being developed and maintained by the Samba project.
> >
> > The analysis of the problem you gave above suggests you already know
> > more about the subject than any of us. If you have enough incentive and
> > determination to 'scratch your own itch', you may want to consider
> > developing an AuthScheme based on JCIFS. Besides, this would be a major
> > and a very welcome contribution to the project.
> >
> > For more details on the subject please refer to this resource:
> >
> > http://wiki.apache.org/jakarta-httpclient/FrequentlyAskedNTLMQuestions
> >
> > Cheers,
> >
> > Oleg
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
> >
> >
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
Re: ntlm issues 2 - Unknown user name or bad password
Posted by Jeff Ling <je...@google.com>.
Hi Oleg,
I might give it a try.
Does it mean I need to use "custom auth scheme"?
Thanks,
Jeff
On 11/1/06, Oleg Kalnichevski <ol...@apache.org> wrote:
>
> On Wed, 2006-11-01 at 08:51 -0800, Jeff Ling wrote:
> > Hi guys,
> >
> > This is an even strangier problem that I've been struggling with. I am
> using
> > Axis2 to call MS Sharepoint web services. At most customers, it works
> well.
> > However, at this one customer, the authentication just fails with the
> event
> > log message on the web server says: "Unknown user name or bad
> password" Of
> > course, the first possibility was invalid user name/password as the
> error
> > message suggested. But I tried many different variations. And I've
> written a
> > .Net client to try it with the same credential, it works. Of course, it
> > could be using NTLMv2 instead. So I tried another application that only
> > supports NTLMv1 (it's a C++ implementation), and it also works! I also
> > turned on wire trace. I know the host doesn't not enforce NTLMv2.
> >
> > The next thing I did was getting all the Axis2 source code, and then all
> the
> > httpclient souce code down. I put in more trace, and saw the type 1 ->
> type
> > 2 -> type 3 message handshaking. I even printed out the user name,
> password,
> > host, domain, and everything seems correct. But After the type 3 message
> was
> > sent to the server, the server returns 401. The only thing I didn't do
> is to
> > analyze the NTLM messages because I don't know how to validate them!
> >
> > The client is running on the same machine as the web server. The user
> > account is a local account (not a domain account), JDK is 1.4.x,and
> > httpclient is 3.0.1. On the server, it says:
> >
> > Logon Failure:
> > Reason: Unknown user name or bad password
> > User Name: SHAREPOINTADMIN
> > Domain: ITDSPDEV
> > Logon Type: 3
> > Logon Process: NtLmSsp
> > Authentication Package: NTLM
> > Workstation Name: ITDSPDEV.COJ.NET
> > Caller User Name: -
> > Caller Domain: -
> > Caller Logon ID: -
> > Caller Process ID: -
> > Transited Services: -
> > Source Network Address: 161.243.4.71
> > Source Port: 2009
> >
> >
> > Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> > Logon account: SHAREPOINTADMIN
> > Source Workstation: ITDSPDEV.COJ.NET
> > Error Code: 0xC000006A
> >
> >
> >
> > Any suggestions? What else can I do?
> >
> > Thanks,
> > Jeff
>
> Jeff,
>
> It is plausible that HttpClient's low level NTLM code is simply buggy.
> None of the current HttpClient committers is very knowledgeable about
> NTLM and its inner working. Moreover, none of us seems interested in
> getting more involved with the subject.
>
> Our long term plan is to have our home brewed code replaced with JCIFS,
> the library is being developed and maintained by the Samba project.
>
> The analysis of the problem you gave above suggests you already know
> more about the subject than any of us. If you have enough incentive and
> determination to 'scratch your own itch', you may want to consider
> developing an AuthScheme based on JCIFS. Besides, this would be a major
> and a very welcome contribution to the project.
>
> For more details on the subject please refer to this resource:
>
> http://wiki.apache.org/jakarta-httpclient/FrequentlyAskedNTLMQuestions
>
> Cheers,
>
> Oleg
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
>
>
--
Jeff Ling
Product Solutions Engineer
GOOGLE
Office: (650) 253-3095
Fax: (650) 618-1835
Email: jeffling@google.com
Re: ntlm issues 2 - Unknown user name or bad password
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Wed, 2006-11-01 at 08:51 -0800, Jeff Ling wrote:
> Hi guys,
>
> This is an even strangier problem that I've been struggling with. I am using
> Axis2 to call MS Sharepoint web services. At most customers, it works well.
> However, at this one customer, the authentication just fails with the event
> log message on the web server says: "Unknown user name or bad password" Of
> course, the first possibility was invalid user name/password as the error
> message suggested. But I tried many different variations. And I've written a
> .Net client to try it with the same credential, it works. Of course, it
> could be using NTLMv2 instead. So I tried another application that only
> supports NTLMv1 (it's a C++ implementation), and it also works! I also
> turned on wire trace. I know the host doesn't not enforce NTLMv2.
>
> The next thing I did was getting all the Axis2 source code, and then all the
> httpclient souce code down. I put in more trace, and saw the type 1 -> type
> 2 -> type 3 message handshaking. I even printed out the user name, password,
> host, domain, and everything seems correct. But After the type 3 message was
> sent to the server, the server returns 401. The only thing I didn't do is to
> analyze the NTLM messages because I don't know how to validate them!
>
> The client is running on the same machine as the web server. The user
> account is a local account (not a domain account), JDK is 1.4.x,and
> httpclient is 3.0.1. On the server, it says:
>
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: SHAREPOINTADMIN
> Domain: ITDSPDEV
> Logon Type: 3
> Logon Process: NtLmSsp
> Authentication Package: NTLM
> Workstation Name: ITDSPDEV.COJ.NET
> Caller User Name: -
> Caller Domain: -
> Caller Logon ID: -
> Caller Process ID: -
> Transited Services: -
> Source Network Address: 161.243.4.71
> Source Port: 2009
>
>
> Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Logon account: SHAREPOINTADMIN
> Source Workstation: ITDSPDEV.COJ.NET
> Error Code: 0xC000006A
>
>
>
> Any suggestions? What else can I do?
>
> Thanks,
> Jeff
Jeff,
It is plausible that HttpClient's low level NTLM code is simply buggy.
None of the current HttpClient committers is very knowledgeable about
NTLM and its inner working. Moreover, none of us seems interested in
getting more involved with the subject.
Our long term plan is to have our home brewed code replaced with JCIFS,
the library is being developed and maintained by the Samba project.
The analysis of the problem you gave above suggests you already know
more about the subject than any of us. If you have enough incentive and
determination to 'scratch your own itch', you may want to consider
developing an AuthScheme based on JCIFS. Besides, this would be a major
and a very welcome contribution to the project.
For more details on the subject please refer to this resource:
http://wiki.apache.org/jakarta-httpclient/FrequentlyAskedNTLMQuestions
Cheers,
Oleg
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org