hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Karl Wright (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (HTTPCLIENT-1662) NTLM auth failed because NTLMEngineImpl strip domain to base domain name
Date Wed, 24 Jun 2015 12:18:05 GMT

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1662?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14599312#comment-14599312
] 

Karl Wright edited comment on HTTPCLIENT-1662 at 6/24/15 12:18 PM:
-------------------------------------------------------------------

[~michael-o]: While this code is nice, it's beyond the scope of HttpClient, in my opinion.
 You really would not want to do an exchange with AD on every page fetch. Colin's problem
is  not that he doesn't know the NETBIOS names, it's that we corrupt them.

bq. I would rather disallow fully-qualified domain names and accept netbios ones.

That's exactly what the patch permits.  It does, however, make an attempt to maintain backwards
compatibility for the four-string NTCredential constructor.  I would have done it a different
way perhaps, but Oleg has the full NTPrincipal in there and allows that to be retrieved, so
this is the backwards-compatible option that was left to me.



was (Author: kwright@metacarta.com):
[~michael-o]: While this code is nice, it's beyond the scope of HttpClient, in my opinion.
 You really would not want to do an exchange with AD on every page fetch. Colin's problem
is  not that he doesn't know the NETBIOS names, it's that we corrupt them.


> NTLM auth failed because NTLMEngineImpl strip domain to base domain name
> ------------------------------------------------------------------------
>
>                 Key: HTTPCLIENT-1662
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1662
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpAuth
>    Affects Versions: 4.5
>         Environment: HttpClient 4.3, 4.5
> A http site with NTLM auth
> A domain which Netbios name is not match domain name(e.g. domain=mydomain.com; netbios
name= testdomain)
>            Reporter: Colin
>            Assignee: Karl Wright
>         Attachments: HTTPCLIENT-1662.patch
>
>
> When generate type 3 message, we change the domain name to base domain name:
> {code}
>             // Use only the base domain name!
>             final String unqualifiedDomain = convertDomain(domain);
> {code}
> {code}
>     /** Strip dot suffix from a name */
>     private static String stripDotSuffix(final String value) {
>         if (value == null) {
>             return null;
>         }
>         final int index = value.indexOf(".");
>         if (index != -1) {
>             return value.substring(0, index);
>         }
>         return value;
>     }
>     /** Convert domain to standard form */
>     private static String convertDomain(final String domain) {
>         return stripDotSuffix(domain);
>     }
> {code}
> I got http 401 in my environment with correct credential and found the root cause is
those code got wrong domain name so the domain controller return a NTLM sub status code 0xC0000064,
which means " The username you typed does not exist!"
> The Netbios name of a domain is the "Pre Windows 2000 name" of the domain.
> Is there any issue to use full domain name?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message