You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "Fuhrmann, Hauke" <Ha...@airbus.com> on 2004/05/03 16:11:14 UTC

NTLM authentication problem

Hi there,

I hope you can help me with a little problem I got:

I have to download a file from a MS IIS webserver which uses NTLM
authentification. The only client I performed a successful download with is
MS IE. But I have to use a Java client, so I tried the jakarta commons
httpclient. I implemented a test class which sets the correct NTCredentials
and performs the request. The source looks somehow like this:

String url = "http://host/index.html";
NTCredentials creds =
 new NTCredentials(
 "username",
 "password",
 "hostname",
 "domain");
HttpClient client = new HttpClient();
HttpMethod method = new GetMethod(url);
client.getState().setCredentials(null, null, creds);

where 'username', 'password', 'hostname' and 'domain' are changed with the
correct values for the server.
After running
int statusCode = client.executeMethod(method);
I get the following logfile output:

---------------------------------------

[DEBUG] HttpClient - -Java version: 1.4.2
[DEBUG] HttpClient - -Java vendor: Sun Microsystems Inc.
[DEBUG] HttpClient - -Operating system name: Windows 2000
[DEBUG] HttpClient - -Operating system architecture: x86
[DEBUG] HttpClient - -Operating system version: 5.0
[DEBUG] HttpClient - -SUN 1.42: SUN (DSA key/parameter generation; DSA
signing; SHA-1, MD5 digests; SecureRandom; X.509 certificates; JKS
keystore; PKIX CertPathValidator; PKIX CertPathBuilder; LDAP, Collection
CertStores)
[DEBUG] HttpClient - -SunJSSE 1.42: Sun JSSE provider(implements RSA
Signatures, PKCS12, SunX509 key/trust factories, SSLv3, TLSv1)
[DEBUG] HttpClient - -SunRsaSign 1.42: SUN's provider for RSA signatures
[DEBUG] HttpClient - -SunJCE 1.42: SunJCE Provider (implements DES, Triple
DES, AES, Blowfish, PBE, Diffie-Hellman, HMAC-MD5, HMAC-SHA1)
[DEBUG] HttpClient - -SunJGSS 1.0: Sun (Kerberos v5)
[DEBUG] HttpConnection - -HttpConnection.setSoTimeout(0)
[DEBUG] HttpMethodBase - -Execute loop try 1
[DEBUG] wire - ->> "GET /index.html HTTP/1.1[\r][\n]"
[DEBUG] HttpMethodBase - -Adding Host request header
[DEBUG] wire - ->> "User-Agent: Jakarta
Commons-HttpClient/2.0final[\r][\n]"
[DEBUG] wire - ->> "Host: host[\r][\n]"
[DEBUG] wire - ->> "[\r][\n]"
[DEBUG] wire - -<< "HTTP/1.1 401 Access Denied[\r][\n]"
[DEBUG] wire - -<< "Server: Microsoft-IIS/5.0[\r][\n]"
[DEBUG] wire - -<< "Date: Mon, 03 May 2004 12:47:03 GMT[\r][\n]"
[DEBUG] wire - -<< "WWW-Authenticate: Negotiate[\r][\n]"
[DEBUG] wire - -<< "WWW-Authenticate: NTLM[\r][\n]"
[DEBUG] wire - -<< "Connection: close[\r][\n]"
[DEBUG] wire - -<< "Content-Length: 24[\r][\n]"
[DEBUG] wire - -<< "Content-Type: text/html[\r][\n]"
[DEBUG] HttpMethodBase - -Authorization required
[DEBUG] HttpAuthenticator - -Authenticating with the default authentication
realm at host
[DEBUG] HttpMethodBase - -HttpMethodBase.execute(): Server demanded
authentication credentials, will try again.
[DEBUG] wire - -<< "Error: Access is Denied."
[DEBUG] HttpMethodBase - -Should close connection in response to
Connection: close

[DEBUG] HttpMethodBase - -Execute loop try 2
[DEBUG] HttpMethodBase - -Opening the connection.
[DEBUG] wire - ->> "GET /index.html HTTP/1.1[\r][\n]"
[DEBUG] HttpMethodBase - -Request to add Host header ignored: header
already added
[DEBUG] wire - ->> "User-Agent: Jakarta
Commons-HttpClient/2.0final[\r][\n]"
[DEBUG] wire - ->> "Host: host[\r][\n]"
[DEBUG] wire - ->> "Authorization: NTLM
TlRMTVNTUAABAAAABlIAABgAGAAoAAAACAAIACAAAABEMDE1Nzc4MkFGSVMuUk9DS1dFTExDT0x
MSU5TLkNPTQ==[\r][\n]"
[DEBUG] wire - ->> "[\r][\n]"
[DEBUG] wire - -<< "HTTP/1.1 401 Access Denied[\r][\n]"
[DEBUG] wire - -<< "Server: Microsoft-IIS/5.0[\r][\n]"
[DEBUG] wire - -<< "Date: Mon, 03 May 2004 12:47:03 GMT[\r][\n]"
[DEBUG] wire - -<< "WWW-Authenticate: NTLM
TlRMTVNTUAACAAAABAAEADAAAAAGAoEAfy2cSecyuJ8AAAAAAAAAAI4AjgA0AAAAQUZJUwIACAB
BAEYASQBTAAEACABBAE4AUwBVAAQAMABhAGYAaQBzAC4AcgBvAGMAawB3AGUAbABsAGMAbwBsAG
wAaQBuAHMALgBjAG8AbQADADoAYQBuAHMAdQAuAGEAZgBpAHMALgByAG8AYwBrAHcAZQBsAGwAY
wBvAGwAbABpAG4AcwAuAGMAbwBtAAAAAAA=[\r][\n]"
[DEBUG] wire - -<< "Content-Length: 24[\r][\n]"
[DEBUG] wire - -<< "Content-Type: text/html[\r][\n]"
[DEBUG] HttpMethodBase - -Authorization required
[DEBUG] HttpAuthenticator - -Authenticating with the default authentication
realm at host
[DEBUG] HttpMethodBase - -HttpMethodBase.execute(): Server demanded
authentication credentials, will try again.
[DEBUG] wire - -<< "Error: Access is Denied."
[DEBUG] HttpMethodBase - -Resorting to protocol version default close
connection policy
[DEBUG] HttpMethodBase - -Should NOT close connection, using HTTP/1.1.
[DEBUG] HttpMethodBase - -Execute loop try 3
[DEBUG] wire - ->> "GET /index.html HTTP/1.1[\r][\n]"
[DEBUG] HttpMethodBase - -Request to add Host header ignored: header
already added
[DEBUG] wire - ->> "User-Agent: Jakarta
Commons-HttpClient/2.0final[\r][\n]"
[DEBUG] wire - ->> "Host: host[\r][\n]"
[DEBUG] wire - ->> "Authorization: NTLM
TlRMTVNTUAADAAAAGAAYAGkAAAAAAAAAgQAAABgAGABAAAAACQAJAFgAAAAIAAgAYQAAAAAAAAC
BAAAABlIAAEFGSVMuUk9DS1dFTExDT0xMSU5TLkNPTVJPT1RBRE1JTkQwMTU3NzgyJGvqRAbUDM
au2Xvs7/czsCLtV0s5fmPn[\r][\n]"
[DEBUG] wire - ->> "[\r][\n]"
[DEBUG] wire - -<< "HTTP/1.1 401 Access Denied[\r][\n]"
[DEBUG] wire - -<< "Server: Microsoft-IIS/5.0[\r][\n]"
[DEBUG] wire - -<< "Date: Mon, 03 May 2004 12:47:05 GMT[\r][\n]"
[DEBUG] wire - -<< "WWW-Authenticate: Negotiate[\r][\n]"
[DEBUG] wire - -<< "WWW-Authenticate: NTLM[\r][\n]"
[DEBUG] wire - -<< "Connection: close[\r][\n]"
[DEBUG] wire - -<< "Content-Length: 24[\r][\n]"
[DEBUG] wire - -<< "Content-Type: text/html[\r][\n]"
[DEBUG] HttpMethodBase - -Authorization required
[INFO] HttpMethodBase - -Already tried to authenticate with 'null'
authentication realm at ansu, but still receiving: HTTP/1.1 401 Access
Denied
[DEBUG] HttpMethodBase - -Buffering response body
[DEBUG] wire - -<< "Error: Access is Denied."
[DEBUG] HttpMethodBase - -Should close connection in response to
Connection: close

Error: Access is Denied.

---------------------------------------------------------------------------
----------------

So after the handshake the authentification was not successful. What went
wrong? I cannot see too much in that NTLM message, but in comparison to the
messages the MS IE sends they look a bit different. I logged the traffic
the MS IE does and it looks like this:

---------------------------------------------------------------------------
-----------------

GET /index.html HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-powerpoint, application/vnd.ms-excel,
application/msword, application/x-shockwave-flash, */*
Accept-Language: de
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; H010818)
Host: host
Connection: Keep-Alive
Authorization: NTLM TlRMTVNTUAABAAAAB4IIoAAAAAAAAAAAAAAAAAAAAAA=

HTTP/1.1 401 Access Denied
Server: Microsoft-IIS/5.0
Date: Mon, 03 May 2004 12:43:27 GMT
WWW-Authenticate: NTLM
TlRMTVNTUAACAAAACAAIADAAAAAFgomgUZrE0tSyEkwAAAAAAAAAAI4AjgA4AAAAQQBGAEkAUwA
CAAgAQQBGAEkAUwABAAgAQQBOAFMAVQAEADAAYQBmAGkAcwAuAHIAbwBjAGsAdwBlAGwAbABjAG
8AbABsAGkAbgBzAC4AYwBvAG0AAwA6AGEAbgBzAHUALgBhAGYAaQBzAC4AcgBvAGMAawB3AGUAb
ABsAGMAbwBsAGwAaQBuAHMALgBjAG8AbQAAAAAA
Content-Length: 24
Content-Type: text/html

Error: Access is Denied.

GET /index.html HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-powerpoint, application/vnd.ms-excel,
application/msword, application/x-shockwave-flash, */*
Accept-Language: de
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; H010818)
Host: host
Connection: Keep-Alive
Authorization: NTLM
TlRMTVNTUAADAAAAGAAYAJIAAAC+AL4AqgAAADAAMABAAAAAEgASAHAAAAAQABAAggAAAAAAAAB
oAQAABYKIoGEAZgBpAHMALgByAG8AYwBrAHcAZQBsAGwAYwBvAGwAbABpAG4AcwAuAGMAbwBtAH
IAbwBvAHQAYQBkAG0AaQBuAEQAMAAxADUANwA3ADgAMgAFd79T6lFtE0X9Kr8EzRokwS2McGRle
u2ElDAdnU93j14Z3czOQSPUAQEAAAAAAAAwrDw7DDHEAcEtjHBkZXrtAAAAAAIACABBAEYASQBT
AAEACABBAE4AUwBVAAQAMABhAGYAaQBzAC4AcgBvAGMAawB3AGUAbABsAGMAbwBsAGwAaQBuAHM
ALgBjAG8AbQADADoAYQBuAHMAdQAuAGEAZgBpAHMALgByAG8AYwBrAHcAZQBsAGwAYwBvAGwAbA
BpAG4AcwAuAGMAbwBtAAAAAAAAAAAA

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Cache-Control: no-cache
Expires: Mon, 03 May 2004 12:43:27 GMT
Date: Mon, 03 May 2004 12:43:27 GMT
Content-Type: text/xml
Accept-Ranges: bytes
Last-Modified: Mon, 03 May 2004 12:43:22 GMT
ETag: "90c5c38c31c41:8b0"
Content-Length: 62746

[...]

---------------------------------------------------------------------------
----------

As you see the second message from the MS IE client is much longer than the
second message of the jakarta httpclient. Does it submit any extra
information needed by the NTLM algorithm? Is this a bug or any other
setting I forgot to set? Can anybody help? Any help would be appreciated.
Thanks a lot.



Hauke Fuhrmann

Airbus Deutschland GmbH
ECYA3 - Cabin Communication Systems & Application
Kreetslag 10
21129 Hamburg, Germany

Phone: +49 (0) 40 743 - 88260
Mail: hauke.fuhrmann@airbus.com


---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org