commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Augusto de Oliveira Aragão <>
Subject RE: NTLM authentication
Date Fri, 25 Apr 2003 13:09:45 GMT

You said:
"... it authenticates fine even with garbage data for host and host
domain...". Ok, I'm not sure about it, but I think ntlm is also used to
authenticate a machine with its NT Domain. Each machine, to join a NT
Domain, must have a "machine user name" registered - I think it's called
SID, or something like that. So it must have fields to support this kind of

However, what we're trying to do here is to authenticate users against the
domain. So, the only fields that really care here are the user domain, user
name and user password. I made some tests, and I was able to authenticate
against the server, even using in the host name. However, when you
don't use a valid DNS or WINS name, the authentication takes longer,
probably because the server is configured to make reverse lookup for request
log purposes. 

It´s a strange behavior, because I think it should verify if the connection
is actually coming from the same server that is  encoded in ntlm handshake,
for security purposes. Correct me if I'm wrong, Adrian.

I don't know if you're trying to authenticate against IIS (it's what I'm
using it for), and I'm not an IIS expert, so I don't know if it can be
configured to deny authentication to an unknown host. I presume it can´t.

The code that´s working for me is as simple as that:

    HttpClient client = new HttpClient();

    HttpMethod method = null;

        new NTCredentials(authenticationUser, authenticationPassword,
authenticationHost, authenticationDomain));

    method = new GetMethod(url);
    String responseBody = null;

    try {
      int retorno = client.executeMethod(method);
      responseBody = method.getResponseBodyAsString();



-----Original Message-----
From: Richard Becke []
Sent: sexta-feira, 25 de abril de 2003 09:33
Cc: André Augusto de Oliveira Aragão
Subject: RE: NTLM authentication

Hi !

Thank You for the reply ! I still can't make this work, though. I am
currently using the 20030424 snapshot. My problem is as following :
I am runnning my program on an AIX box, which does of course not have
a WINS name nor is it member of any NT domain. The other API I have
tried (HTTP client library :,
NTLM authenticator :
uses five pieces of information for construction of the NTLM auth
response; host, host domain, user, user domain, password. But, it
authenticates fine even with garbage data for host and host domain, so it
is obviously possible to authenticate using just user name, user domain and
password. This makes perfect sense, as NTLM authentication should be
possible from IE on any internet-connected Windows box. The problem I
face then is; given just the following data :

  user's NT domain
  user's password
  URL on IIS server requiring NTLM authentication

How do I construct a valid NTCredentials instance, and authenticate
to the given URL ?

kind regards,

  Richard Becke

/* ®ß */

<quote who="André Augusto de Oliveira Aragão">
> HI!
> I´m using it. It had a bug, but in the most recent nightly snapshot,
> it´s corrected.
> The arguments in the NTCredentials constructor are:
> userName - the userid.
> password - the password.
> host - For me, it works with the wins name of the host that is making
> the connection. I did not test if using the dns or ip works. I think it
> depends on your server (the server you´re trying to reach)
> configuration.
> domain - the actual NT Domain.
> Hope that helps,
> Andre
> -----Original Message-----
> From: Richard Becke []
> Sent: quinta-feira, 24 de abril de 2003 04:32
> To:
> Cc:
> Subject: NTLM authentication
> I am using HTTPClient 2.0 alpha 3 on AIX 4.3.3
> / IBM JDK 1.3.1 with IBM JCE / JSSE.
> Has anyone actually made NTLM authentication work ? I can't figure it
> out. Using Luigi Dragone's NTLM auth API
> (, everything works
> fine, so I know that the credentials and cryptographic providers are OK.
> The documentation for NTCredentials, as well as the example / test code
> seems a bit lacking. Is the "userName" constructor argument supposed to
> be "<NT domain>\<userid>" or just userid ? And the "host" argument; is
> this the DNS name, WINS name, and with / without the domain part ?
> Sorry for the cross posting, I know this belongs in the user list, but I
> feel the lacking documentation is also a bug.
> --
> /* ®ß */
> --------------------------------------------------------------------- To
> unsubscribe, e-mail:
> For additional commands, e-mail:
> --------------------------------------------------------------------- To
> unsubscribe, e-mail: For
> additional commands, e-mail:

View raw message