You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by George Stanchev <gs...@serena.com> on 2010/06/14 18:16:40 UTC
Re: NTLM Authentication failure with CommonsHTTPTransportSender
Hi Brian,
I think there has been some work done in the past (see [1]) about this but I
am not sure where it stands as of now.
To be honest with you I am also interested to hear if axis 1.5.1 or 1.6 has
switched to HttpClient 4.1
I hope someone from the developers can comment on this thread.
George
[1] https://issues.apache.org/jira/browse/AXIS2-4318
On Mon, Jun 14, 2010 at 3:39 AM, Brian Dillon <Br...@fineos.com>wrote:
> George,
>
> Thanks for that. Is there a guiude to cover how this can be done. Does it
> require changing axis code or is it a config change ?
>
> thanks,
>
> Brian
>
> ________________________________
>
> From: George Stanchev [mailto:gstanchev@serena.com]
> Sent: Fri 11/06/2010 17:55
> To: java-user@axis.apache.org
> Subject: Re: NTLM Authentication failure with CommonsHTTPTransportSender
>
>
> IIIRC the default NTLM authentication with httpclient 3.x is NTLMv1 which
> Microsoft Servers rejects by default (unless you excplictly enable it by
> juggling registry settings). You need to enable NTLMv2 in axis2/httpclient,
> which is implemented in httpclient 4.x but you need to use jcifs in
> conjunction with the http client.
>
> May be someone here on the list can point with a guide how this is set up.
>
> George
>
>
> On Fri, Jun 11, 2010 at 1:52 AM, Brian Dillon <Br...@fineos.com>
> wrote:
>
>
> Hi,
>
>
>
> Just something else we have noticed which might be relevant. We have
> domains setup as;
>
>
>
> Top Level Domain: XXX
>
> Sub Domain: Development
>
>
>
> A user in the top level domain can call the web service and is
> authenticated through NTLM however a user (with the same permissions) on the
> sub domain devlopment.xxx.com <http://devlopment.xxx.com/> can't. Is
> there something different about user making a service invocation from a sub
> domain ?
>
>
>
> Both users are able to invoke the service if we use basic
> authentication (but obviously this is not secure enough as the password is
> sent in cleartext)
>
>
>
> Thanks,
>
>
>
> Brian
>
>
>
> From: Brian Dillon [mailto:Brian.Dillon@FINEOS.com]
> Sent: 10 June 2010 17:59
>
> To: java-user@axis.apache.org
>
> Subject: RE: NTLM Authentication failure with
> CommonsHTTPTransportSender
>
>
>
>
>
> Hi,
>
>
>
> Further on this. The on the wire request (taken from fiddler) has
> the following format
>
>
>
> No Proxy-Authorization Header is present.
>
>
>
> Authorization Header is present: NTLM
>
> 4E 54 4C 4D 53 53 50 00 03 00 00 00 18 00 18 00 NTLMSSP.........
>
> 61 00 00 00 00 00 00 00 79 00 00 00 0B 00 0B 00 a.......y.......
>
> 40 00 00 00 0E 00 0E 00 4B 00 00 00 08 00 08 00 @.......K.......
>
> 59 00 00 00 00 00 00 00 79 00 00 00 06 52 00 00 Y.......y....R..
>
> 44 45 56 45 4C 4F 50 4D 45 4E 54 54 41 53 45 52 DEVELOPMENTTASER
>
> 56 49 43 45 53 55 53 45 52 49 45 44 45 56 31 35 VICESUSERIEM15
>
> 33 48 FB 57 4A 26 49 59 BD B2 2D 2B BE 6E 57 BF 3HûWJ&IY½²-+¾nW¿
>
> 70 70 B6 EA DA F9 8B C8 D2 pp¶êÚù<ÈÒ
>
>
>
>
>
> -[NTLM Type3: Authentication]------------------------------
>
> Provider: NTLMSSP
>
> Type: 3
>
> OS Version: 68.69:17750
>
> Flags: 0x5206
>
> OEM strings supported in security buffer.
>
> Request server's authentication realm included in
> Type2 reply.
>
> NTLM authentication.
>
> Client workstation domain provided. Server can
> determine if the client eligible for local authentication.
>
> Server and client are same machine. Client may use
> local credentials rather than calculating challenge-response.
>
> lmresp_Offset: 97; lmresp_Length: 24; lmresp_Length2: 24
>
> ntresp_Offset: 121; ntresp_Length: 0; ntresp_Length2: 0
>
> Domain_Offset: 64; Domain_Length: 11; Domain_Length2: 11
>
> User_Offset: 75; User_Length: 14; User_Length2: 14
>
> Host_Offset: 89; Host_Length: 8; Host_Length2: 8
>
> msg_len: 121
>
> Domain: ??
>
> User: ????
>
> Host: ???
>
> lm_resp: 48 FB 57 4A 26 49 59 BD B2 2D 2B BE 6E 57 BF 70 70 B6 EA DA
> F9 8B C8 D2
>
> nt_resp: empty
>
>
>
>
>
> Thanks,
>
>
>
> Brian
>
>
>
> From: Brian Dillon [mailto:Brian.Dillon@FINEOS.com]
> Sent: 10 June 2010 17:33
> To: axis-user@ws.apache.org
> Subject: NTLM Authentication failure with CommonsHTTPTransportSender
>
>
>
> Hi,
>
> I am using Axis2 1.4.1
>
> I am currently trying to call a SharePoint service from Axis2 using
> NTLM authentication. My configuration is as follows;
>
> <transportSender name="http"
>
>
> class="org.apache.axis2.transport.http.CommonsHTTPTransportSender">
>
> <parameter name="PROTOCOL">HTTP/1.1</parameter>
>
> <parameter name="Transfer-Encoding">chunked</parameter>
>
> </transportSender>
>
> I am invoking the service using the following;
>
> HttpTransportProperties.Authenticator auth =
> new HttpTransportProperties.Authenticator();
>
>
>
> auth.setUsername(sharePointUser);
>
> auth.setPassword(sharePointPwd);
>
> String domain =
> getSharepointConfigProperty(AUTHENTICATION_DOMAIN);
>
> auth.setDomain(domain);
>
> List<String> authL = new ArrayList<String>();
>
>
> authL.add(org.apache.axis2.transport.http.HttpTransportProperties.Authenticator.NTLM);
>
> auth.setAuthSchemes(authL);
>
>
> options.setProperty(HTTPConstants.AUTHENTICATE,auth);
>
> When I invoke the service I get the following error (seeing this in
> using fiddler to see the HTTP traffic)
>
> HTTP/1.1 401 Authorization Required
>
> Date: Thu, 10 Jun 2010 16:19:02 GMT
>
> Server: Apache/2.2.8 (Win32) DAV/2 SVN/1.5.5 mod_auth_sspi/1.0.4
>
> WWW-Authenticate: NTLM
> TlRMTVNTUAACAAAADAAMADgAAAAFgomi/C9BoEfVN9gAAAAAAAAAAIIAggBEAAAABQLODgAAAA9GAEkATgBFAE8AUwACAAwARgBJAE4ARQBPAFMAAQAQAEkARQBEAEUAVgAwADAANAAEABQARgBJAE4ARQBPAFMALgBjAG8AbQADACYAaQBlAGQAZQB2ADAAMAA0AC4ARgBJAE4ARQBPAFMALgBjAG8AbQAFABQARgBJAE4ARQBPAFMALgBjAG8AbQAAAAAA
>
> Content-Length: 401
>
> Keep-Alive: timeout=5, max=100
>
> Connection: Keep-Alive
>
> Content-Type: text/html; charset=iso-8859-1
>
> Proxy-Support: Session-Based-Authentication
>
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
>
> <html><head>
>
> <title>401 Authorization Required</title>
>
> </head><body>
>
> <h1>Authorization Required</h1>
>
> <p>This server could not verify that you
>
> are authorized to access the document
>
> requested. Either you supplied the wrong
>
> credentials (e.g., bad password), or your
>
> browser doesn't understand how to supply
>
> the credentials required.</p>
>
> </body></html>
>
> When I also found is that if I switch to use
> com.oaklandsw.http.axis2.OaklandHTTPTransportSender2 instead of the
> CommonsHTTPTransportSender that the request will succeed.
>
> Is this a know bug with CommonsHTTPTransportSender ? Is there a
> workaround or a known fix ? I don't want to go down the route of using the
> Oakland HTTP Sender as it is not an open source project.
>
> Any help is appreciated,
>
> Thanks,
>
> Brian
>
> Brian Dillon
>
> Technical Architecture
>
> FINEOS Corporation
> Pembroke House, 8-10 Lower Pembroke Street, Dublin2, Ireland.
>
> T +353-1-639-9700 F +353-1-639-9701 W www.FINEOS.com <
> https://connect.fineos.com/go/www.fineos.com>
>
> ENTERPRISE SOLUTIONS for INSURANCE, BANCASSURANCE AND SOCIAL
> INSURANCE
>
> __________________________________________________________
>
> FINEOS Corporation is the global brand name of FINEOS Corporation
> Limited and its affiliated group companies worldwide.
>
> The information contained in this e-mail is confidential, may be
> privileged and is intended
>
> only for the use of the recipient named above. If you are not the
> intended recipient or a
>
> representative of the intended recipient, you have received this
> e-mail in error and must
>
> not copy, use or disclose the contents of this e-mail to anybody
> else.
>
>
>
> If you have received this e-mail in error, please notify the sender
> immediately by return
>
> e-mail and permanently delete the copy you received. This e-mail has
> been swept for
>
> computer viruses. However, you should carry out your own virus
> checks.
>
> Registered in Ireland, No. 205721.
> https://connect.fineos.com/go/www.fineos.com
>
> __________________________________________________________
>
>
>
>
>
> __________________________________________________________
> FINEOS Corporation is the global brand name of FINEOS Corporation Limited
> and its affiliated group companies worldwide.
> The information contained in this e-mail is confidential, may be privileged
> and is intended
> only for the use of the recipient named above. If you are not the intended
> recipient or a
> representative of the intended recipient, you have received this e-mail in
> error and must
> not copy, use or disclose the contents of this e-mail to anybody else.
>
> If you have received this e-mail in error, please notify the sender
> immediately by return
> e-mail and permanently delete the copy you received. This e-mail has been
> swept for
> computer viruses. However, you should carry out your own virus checks.
> Registered in Ireland, No. 205721. http://www.FINEOS.com
> __________________________________________________________
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: java-user-unsubscribe@axis.apache.org
> For additional commands, e-mail: java-user-help@axis.apache.org
>