hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject RE: IIS (NTLM) + proxy server (NTLM or basic) problem
Date Wed, 05 May 2004 20:08:30 GMT
On Wed, 2004-05-05 at 21:58, Lili Liu wrote:
> Hi, Oleg:
> Anonymous was disabled (only NTLM is enabled).
> Our customer requires Microsoft proxy server and IIS.

I hope they know what they are doing

> lili
> 
> Our proxy server is using IIS 3.0, maybe that is too old.

If upgrade is an option, give it a shot. I tested HttpClient against IIS
4.x only

Oleg

> 
> -----Original Message-----
> From: Oleg Kalnichevski [mailto:olegk@apache.org]
> Sent: Wednesday, May 05, 2004 11:36 AM
> To: Commons HttpClient Project
> Subject: RE: IIS (NTLM) + proxy server (NTLM or basic) problem
> 
> 
> Hi Lili,
> 
> Do not give up too soon. I did test BASIC proxy (using Squid stable) +
> NTLM host authentication and did work. Of course, I cannot rule out that
> the problem is caused by some 'peculiarities' of Microsoft Proxy
> implementation. 
> 
> Please try disabling anonymous access to the host server and see if that
> makes any difference. 
> 
> Also consider using Squid as a proxy, at least for tests
> 
> Oleg
> 
> On Wed, 2004-05-05 at 19:11, Lili Liu wrote:
> > Hi, Oleg:
> > 
> > I tried all cases you mentioned below, and can't get it work. (My login is
> > domain account)
> > I thought I had one time work in this situation, but actually I missed the
> > line
> > client.getHostConfiguration().setProxy(proxyserverIP, 80);
> > 
> > If I commented out either NTLM authentication (use anoynomous) or proxy
> > authentication, authentication is sucessful.
> > 
> > I really doubt whether NTLM host can work through proxy environment.
> > Check this site:
> > http://www.squid-cache.org/mail-archive/squid-users/199710/0279.html
> > It mentioned NLTM should not be used on the Internet at large 
> > (by way of Microsoft's recommendation). 
> > 
> > lili
> > 
> > 
> > -----Original Message-----
> > From: Kalnichevski, Oleg [mailto:oleg.kalnichevski@bearingpoint.com]
> > Sent: Wednesday, May 05, 2004 1:04 AM
> > To: Lili Liu
> > Cc: commons-httpclient-dev@jakarta.apache.org
> > Subject: RE: IIS (NTLM) + proxy server (NTLM or basic) problem
> > 
> > 
> > 
> > Lili,
> > There's nothing in the log that could suggest a flaw in HttpClient's
> > authentication logic. Everything appears sane as far as the authentication
> > is concerned. Proxy authentication was successful. The trouble appears to
> be
> > caused by the NTLM host server which does not seem to accept the
> > credentials.
> > 
> > 
> > client.getState().setCredentials(
> > 	null,
> > 	"10.8.9.22",
> > 	new NTCredentials("lliu", "xxxxx", "10.8.9.22", "INXIGHT")
> > );
> > 
> > (1) Please double-check the domain name and try using the host name (every
> > NT box must have one) instead of the IP ("10.8.9.22") in the NTCredentials
> > constructor.
> > 
> > client.getState().setCredentials(
> > 	null,
> > 	"10.8.9.22",
> > 	new NTCredentials("lliu", "xxxxx", "myhost", "INXIGHT")
> > );
> > 
> > Where 'lliu' is a domain account
> > 
> > 
> > (2) Is the account you are using a domain account or a local one? This
> > distinction is very important. If it is a local one, you should be using
> the
> > host name instead of the domain name, even though the server may be a part
> > of the INXIGHT domain
> > 
> > client.getState().setCredentials(
> > 	null,
> > 	"10.8.9.22",
> > 	new NTCredentials("lliu", "xxxxx", "myhost", "myhost")
> > 
> > Where 'lliu' is a local account on the 'myhost' host
> > 
> > Let me know the results
> > 
> > Oleg
> > 
> > -----Original Message-----
> > From: Lili Liu [mailto:lliu@inxight.com]
> > Sent: Tuesday, May 04, 2004 20:26
> > To: Kalnichevski, Oleg
> > Subject: RE: IIS (NTLM) + proxy server (NTLM or basic) problem
> > 
> > 
> > Hi, Oleg:
> > I am focusing to get basic proxy + NTLM host work.
> > I downloaded the Httpclient package from the link below (May 4).
> > 
> > I still got the 401 error.
> > Here is the log.txt and my test program testProxy.java
> > 
> > One thing I thought maybe questionable is the first parameter of
> > setProxyCredentials is null in my case since the proxy does not belong to
> > any domain.
> > 
> > lili
> > Let me what you find.
> > Thanks a bunch!
> > 
> > 
> > -----Original Message-----
> > From: Kalnichevski, Oleg [mailto:oleg.kalnichevski@bearingpoint.com]
> > Sent: Tuesday, May 04, 2004 2:06 AM
> > To: Commons HttpClient Project
> > Subject: RE: IIS (NTLM) + proxy server (NTLM or basic) problem
> > 
> > 
> > 
> > Lili,
> > Truth to be told, NTLM proxy + NTLM host authentication has never been
> > properly tested, because none of us (HttpClient developers) has got access
> > to a Microsoft Proxy installation. I would not be surprised if it did not
> > work at all with HttpClient 2.0. I know for a fact that BASIC proxy + NTLM
> > host should work. I have been using Squid proxy to run the tests, though.
> > 
> > 
> > Anyways, could you please get hold of the latest HttpClient DEVELOPMENT
> > snapshot from the following location and see if it produces the same
> > results?
> > 
> > 
> > <http://cvs.apache.org/builds/jakarta-commons/nightly/commons-httpclient/>
> > 
> > It is much easier for me to troubleshoot the development version of
> > HttpClient because it's authentication code has become much saner.
> > Authentication code has undergone a complete rewrite for the 3.0 release
> and
> > _should_ be significantly more robust than that of HttpClient 2.0. Once
> the
> > problem is idenified and fixed, I'll port the changes to the stable
> > HttpClient branch
> > 
> > Please note that the development version (which is going to be the version
> > 3.0 when released) is no longer 2.0 API compatible. You may have to make
> > some adjustments to your code.
> > 
> > 
> > Oleg
> > 
> > -----Original Message-----
> > From: Lili Liu [mailto:lliu@inxight.com]
> > Sent: Tuesday, May 04, 2004 0:13
> > To: 'commons-httpclient-dev@jakarta.apache.org'
> > Subject: IIS (NTLM) + proxy server (NTLM or basic) problem
> > 
> > 
> > Hello,
> > 
> > I have tried all authentication combinations with IIS web server and
> > microsoft proxy server.
> > I have 401.1 error when both IIS are set up using NTLM and proxy server is
> > Basic or NTLM.
> > 
> > The proxy server set up code is as follows: (NTLM case)
> > 
> > 
> > 
> > 
> > client.getState().setAuthenticationPreemptive(false);
> > 			client.getHostConfiguration().setProxy("<proxy IP
> > address>", 80);
> > 			client.getState().setProxyCredentials(null, "<proxy
> > IP address>",
> > 				new NTCredentials(proxy-server-username,
> > proxy-server-password, proxy-server-host, proxy-server-domain));
> > 
> > The web server connection is done as follows:
> > 
> > 
> > 
> > client.getState().setAuthenticationPreemptive(false);
> > 			client.getState().setCredentials(
> > 						            null,
> > 						            "10.8.9.22",
> > 						            new
> > NTCredentials(username, passwd, "10.8.9.22", "INXIGHT");
> > 
> > 
> > Other combinations work well (IIS basic + proxy NTLM or proxy basic)
> > IIS NTLM without proxy server also works.
> > 
> > Log file is attached.
> > 
> > Any help is highly appreciated!
> > 
> > lili <<log.txt>>
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> >
> ****************************************************************************
> > ***********************
> > The information in this email is confidential and may be legally
> privileged.
> > Access to this email by anyone other than the intended addressee is
> > unauthorized.  If you are not the intended recipient of this message, any
> > review, disclosure, copying, distribution, retention, or any action taken
> or
> > omitted to be taken in reliance on it is prohibited and may be unlawful.
> If
> > you are not the intended recipient, please reply to or forward a copy of
> > this message to the sender and delete the message, any attachments, and
> any
> > copies thereof from your system.
> >
> ****************************************************************************
> > ***********************
> > 
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> > commons-httpclient-dev-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail:
> > commons-httpclient-dev-help@jakarta.apache.org
> > 
> > 
> >
> ****************************************************************************
> > ***********************
> > The information in this email is confidential and may be legally
> privileged.
> > Access to this email by anyone other than the intended addressee is
> > unauthorized.  If you are not the intended recipient of this message, any
> > review, disclosure, copying, distribution, retention, or any action taken
> or
> > omitted to be taken in reliance on it is prohibited and may be unlawful.
> If
> > you are not the intended recipient, please reply to or forward a copy of
> > this message to the sender and delete the message, any attachments, and
> any
> > copies thereof from your system.
> >
> ****************************************************************************
> > ***********************
> > 
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> > commons-httpclient-dev-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail:
> > commons-httpclient-dev-help@jakarta.apache.org
> > 
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> commons-httpclient-dev-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail:
> commons-httpclient-dev-help@jakarta.apache.org
> > 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> commons-httpclient-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail:
> commons-httpclient-dev-help@jakarta.apache.org
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org


Mime
View raw message