Mailing-List: contact httpclient-user-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "HttpClient User Discussion" <httpclient-user@jakarta.apache.org>
Received-SPF: pass (herse.apache.org: domain of jeffling@google.com designates
 216.239.45.12 as permitted sender)
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns;
	h=received:message-id:date:from:to:subject:in-reply-to:
	mime-version:content-type:references;
	b=ILDECmFJqqi5F5LFTV5lIYESi2DuoqaKIbXdGAnP2Hg00wfxIPqTGYAlGp4H7ctu1
	QevZxFJKHSg7X7O/iikMg==
Message-ID: <b8d11a3b0611010939k3e307845y29bcbda202dd22d8@mail.gmail.com>
Date: Wed, 1 Nov 2006 09:39:16 -0800
From: "Jeff Ling" <jeffling@google.com>
To: "HttpClient User Discussion" <httpclient-user@jakarta.apache.org>
Subject: Re: ntlm issues 2 - Unknown user name or bad password
In-Reply-To: <1162401826.24490.11.camel@localhost.localdomain>
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_Part_477_5113196.1162402756763"
References: <b8d11a3b0611010851j30b1f20bp91192f19f7e8a313@mail.gmail.com>
	 <1162401826.24490.11.camel@localhost.localdomain>

------=_Part_477_5113196.1162402756763
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Hi Oleg,

I might give it a try.

Does it mean I need to use "custom auth scheme"?

Thanks,
Jeff

On 11/1/06, Oleg Kalnichevski <olegk@apache.org> wrote:
>
> On Wed, 2006-11-01 at 08:51 -0800, Jeff Ling wrote:
> > Hi guys,
> >
> > This is an even strangier problem that I've been struggling with. I am
> using
> > Axis2 to call MS Sharepoint web services. At most customers, it works
> well.
> > However, at this one customer, the authentication just fails with the
> event
> > log message on the web server says: "Unknown user name or bad
> password"  Of
> > course, the first possibility was invalid user name/password as the
> error
> > message suggested. But I tried many different variations. And I've
> written a
> > .Net client to try it with the same credential, it works. Of course, it
> > could be using NTLMv2 instead. So I tried another application that only
> > supports NTLMv1 (it's a C++ implementation), and it also works!  I also
> > turned on wire trace. I know the host doesn't not enforce NTLMv2.
> >
> > The next thing I did was getting all the Axis2 source code, and then all
> the
> > httpclient souce code down. I put in more trace, and saw the type 1 ->
> type
> > 2 -> type 3 message handshaking. I even printed out the user name,
> password,
> > host, domain, and everything seems correct. But After the type 3 message
> was
> > sent to the server, the server returns 401. The only thing I didn't do
> is to
> > analyze the NTLM messages because I don't know how to validate them!
> >
> > The client is running on the same machine as the web server. The user
> > account is a local account (not a domain account), JDK is 1.4.x,and
> > httpclient is 3.0.1. On the server, it says:
> >
> > Logon Failure:
> >      Reason:        Unknown user name or bad password
> >      User Name:    SHAREPOINTADMIN
> >      Domain:        ITDSPDEV
> >      Logon Type:    3
> >      Logon Process:    NtLmSsp
> >      Authentication Package:    NTLM
> >      Workstation Name:    ITDSPDEV.COJ.NET
> >      Caller User Name:    -
> >      Caller Domain:    -
> >      Caller Logon ID:    -
> >      Caller Process ID:    -
> >      Transited Services:    -
> >      Source Network Address:    161.243.4.71
> >      Source Port:    2009
> >
> >
> > Logon attempt by:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> >  Logon account:    SHAREPOINTADMIN
> >  Source Workstation:    ITDSPDEV.COJ.NET
> >  Error Code:    0xC000006A
> >
> >
> >
> > Any suggestions? What else can I do?
> >
> > Thanks,
> > Jeff
>
> Jeff,
>
> It is plausible that HttpClient's low level NTLM code is simply buggy.
> None of the current HttpClient committers is very knowledgeable about
> NTLM and its inner working. Moreover, none of us seems interested in
> getting more involved with the subject.
>
> Our long term plan is to have our home brewed code replaced with JCIFS,
> the library is being developed and maintained by the Samba project.
>
> The analysis of the problem you gave above suggests you already know
> more about the subject than any of us. If you have enough incentive and
> determination to 'scratch your own itch', you may want to consider
> developing an AuthScheme based on JCIFS. Besides, this would be a major
> and a very welcome contribution to the project.
>
> For more details on the subject please refer to this resource:
>
> http://wiki.apache.org/jakarta-httpclient/FrequentlyAskedNTLMQuestions
>
> Cheers,
>
> Oleg
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
>
>


-- 
Jeff Ling
Product Solutions Engineer
GOOGLE
Office: (650) 253-3095
Fax: (650) 618-1835
Email: jeffling@google.com

------=_Part_477_5113196.1162402756763--