Negotiate authentication failed, but not trying other authentication methods

[IBeaumont <IB...@categoric.com>]

Hi,
I'm trying to request a page from IIS (6 and 7.5).  If the IIS is configured
with providers for "negotiage" and "ntlm" then the Negotiate authentication
is tried and fails, but it does not then try to use the NTLM authentication
which is what I require.  If I removed "negotiate" as a provider from IIS
and just use NTLM then all works well - but this is not a solution as I
don't have control of the web servers.

Is this a defect in the http client code?

Output below...


[DEBUG] SingleClientConnManager - Get connection for route
HttpRoute[{}->http://WIN-HNB91NNAB2G]
[DEBUG] DefaultClientConnectionOperator - Connecting to
WIN-HNB91NNAB2G/147.183.80.134:80
[DEBUG] RequestAddCookies - CookieSpec selected: best-match
[DEBUG] DefaultHttpClient - Attempt 1 to execute request
[DEBUG] DefaultClientConnection - Sending request: GET / HTTP/1.1
[DEBUG] wire - >> "GET / HTTP/1.1[\r][\n]"
[DEBUG] wire - >> "Host: WIN-HNB91NNAB2G[\r][\n]"
[DEBUG] wire - >> "Connection: Keep-Alive[\r][\n]"
[DEBUG] wire - >> "User-Agent: Apache-HttpClient/4.1 (java 1.5)[\r][\n]"
[DEBUG] wire - >> "[\r][\n]"
[DEBUG] headers - >> GET / HTTP/1.1
[DEBUG] headers - >> Host: WIN-HNB91NNAB2G
[DEBUG] headers - >> Connection: Keep-Alive
[DEBUG] headers - >> User-Agent: Apache-HttpClient/4.1 (java 1.5)
[DEBUG] wire - << "HTTP/1.1 401 Unauthorized[\r][\n]"
[DEBUG] wire - << "Content-Type: text/html[\r][\n]"
[DEBUG] wire - << "Server: Microsoft-IIS/7.5[\r][\n]"
[DEBUG] wire - << "WWW-Authenticate: Negotiate[\r][\n]"
[DEBUG] wire - << "WWW-Authenticate: NTLM[\r][\n]"
[DEBUG] wire - << "Date: Fri, 15 Jul 2011 12:15:11 GMT[\r][\n]"
[DEBUG] wire - << "Content-Length: 58[\r][\n]"
[DEBUG] wire - << "[\r][\n]"
[DEBUG] DefaultClientConnection - Receiving response: HTTP/1.1 401
Unauthorized
[DEBUG] headers - << HTTP/1.1 401 Unauthorized
[DEBUG] headers - << Content-Type: text/html
[DEBUG] headers - << Server: Microsoft-IIS/7.5
[DEBUG] headers - << WWW-Authenticate: Negotiate
[DEBUG] headers - << WWW-Authenticate: NTLM
[DEBUG] headers - << Date: Fri, 15 Jul 2011 12:15:11 GMT
[DEBUG] headers - << Content-Length: 58
[DEBUG] DefaultHttpClient - Connection can be kept alive indefinitely
[DEBUG] DefaultHttpClient - Target requested authentication
[DEBUG] DefaultTargetAuthenticationHandler - Authentication schemes in the
order of preference: [negotiate, NTLM, Digest, Basic]
[DEBUG] DefaultTargetAuthenticationHandler - negotiate authentication scheme
selected
[DEBUG] NegotiateScheme - Received challenge '' from the auth server
[DEBUG] DefaultHttpClient - Authorization challenge processed
[DEBUG] DefaultHttpClient - Authentication scope: NEGOTIATE <any
realm>@win-hnb91nnab2g:80
[DEBUG] DefaultHttpClient - Found credentials
[DEBUG] wire - << "You do not have permission to view this directory or
page."
[DEBUG] RequestAddCookies - CookieSpec selected: best-match
[DEBUG] NegotiateScheme - init WIN-HNB91NNAB2G
[ERROR] RequestTargetAuthentication - Authentication error: Invalid name
provided (Mechanism level: Could not load configuration file
C:\WINDOWS\krb5.ini (The system cannot find the file specified))
[DEBUG] DefaultHttpClient - Attempt 2 to execute request
[DEBUG] DefaultClientConnection - Sending request: GET / HTTP/1.1
[DEBUG] wire - >> "GET / HTTP/1.1[\r][\n]"
[DEBUG] wire - >> "Host: WIN-HNB91NNAB2G[\r][\n]"
[DEBUG] wire - >> "Connection: Keep-Alive[\r][\n]"
[DEBUG] wire - >> "User-Agent: Apache-HttpClient/4.1 (java 1.5)[\r][\n]"
[DEBUG] wire - >> "[\r][\n]"
[DEBUG] headers - >> GET / HTTP/1.1
[DEBUG] headers - >> Host: WIN-HNB91NNAB2G
[DEBUG] headers - >> Connection: Keep-Alive
[DEBUG] headers - >> User-Agent: Apache-HttpClient/4.1 (java 1.5)
[DEBUG] wire - << "HTTP/1.1 401 Unauthorized[\r][\n]"
[DEBUG] wire - << "Content-Type: text/html[\r][\n]"
[DEBUG] wire - << "Server: Microsoft-IIS/7.5[\r][\n]"
[DEBUG] wire - << "WWW-Authenticate: Negotiate[\r][\n]"
[DEBUG] wire - << "WWW-Authenticate: NTLM[\r][\n]"
[DEBUG] wire - << "Date: Fri, 15 Jul 2011 12:15:11 GMT[\r][\n]"
[DEBUG] wire - << "Content-Length: 58[\r][\n]"
[DEBUG] wire - << "[\r][\n]"
[DEBUG] DefaultClientConnection - Receiving response: HTTP/1.1 401
Unauthorized
[DEBUG] headers - << HTTP/1.1 401 Unauthorized
[DEBUG] headers - << Content-Type: text/html
[DEBUG] headers - << Server: Microsoft-IIS/7.5
[DEBUG] headers - << WWW-Authenticate: Negotiate
[DEBUG] headers - << WWW-Authenticate: NTLM
[DEBUG] headers - << Date: Fri, 15 Jul 2011 12:15:11 GMT
[DEBUG] headers - << Content-Length: 58
[DEBUG] DefaultHttpClient - Connection can be kept alive indefinitely
[DEBUG] DefaultHttpClient - Target requested authentication
[DEBUG] NegotiateScheme - Received challenge '' from the auth server
[DEBUG] NegotiateScheme - Authentication already attempted
[DEBUG] DefaultHttpClient - Authorization challenge processed
[DEBUG] DefaultHttpClient - Authentication scope: NEGOTIATE <any
realm>@win-hnb91nnab2g:80
[DEBUG] DefaultHttpClient - Authentication failed
[DEBUG] wire - << "You do not have permission to view this directory or
page."
content:You do not have permission to view this directory or page.
[DEBUG] SingleClientConnManager - Releasing connection
org.apache.http.impl.conn.SingleClientConnManager$ConnAdapter@17fa65e
-- 
View this message in context: http://old.nabble.com/Negotiate-authentication-failed%2C-but-not-trying-other-authentication-methods-tp32067971p32067971.html
Sent from the HttpClient-User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org

Re: Negotiate authentication failed, but not trying other authentication methods

[IBeaumont <IB...@categoric.com>]

Raised...
https://issues.apache.org/jira/browse/HTTPCLIENT-1107

Thanks


olegk wrote:
> 
> On Fri, 2011-07-15 at 05:22 -0700, IBeaumont wrote:
>> Hi,
>> I'm trying to request a page from IIS (6 and 7.5).  If the IIS is
>> configured
>> with providers for "negotiage" and "ntlm" then the Negotiate
>> authentication
>> is tried and fails, but it does not then try to use the NTLM
>> authentication
>> which is what I require.  If I removed "negotiate" as a provider from IIS
>> and just use NTLM then all works well - but this is not a solution as I
>> don't have control of the web servers.
>> 
>> Is this a defect in the http client code?
>> 
> 
> It is a defect. Please raise a bug report for it in JIRA.
> 
> Oleg
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
> 
> 
> 

-- 
View this message in context: http://old.nabble.com/Negotiate-authentication-failed%2C-but-not-trying-other-authentication-methods-tp32067971p32068416.html
Sent from the HttpClient-User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org

Re: Negotiate authentication failed, but not trying other authentication methods

[Oleg Kalnichevski <ol...@apache.org>]

On Fri, 2011-07-15 at 05:22 -0700, IBeaumont wrote:
> Hi,
> I'm trying to request a page from IIS (6 and 7.5).  If the IIS is configured
> with providers for "negotiage" and "ntlm" then the Negotiate authentication
> is tried and fails, but it does not then try to use the NTLM authentication
> which is what I require.  If I removed "negotiate" as a provider from IIS
> and just use NTLM then all works well - but this is not a solution as I
> don't have control of the web servers.
> 
> Is this a defect in the http client code?
> 

It is a defect. Please raise a bug report for it in JIRA.

Oleg



---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org