Return-Path: X-Original-To: apmail-hc-httpclient-users-archive@www.apache.org Delivered-To: apmail-hc-httpclient-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 2E7CB11F7F for ; Wed, 13 Aug 2014 20:56:18 +0000 (UTC) Received: (qmail 65187 invoked by uid 500); 13 Aug 2014 20:56:17 -0000 Delivered-To: apmail-hc-httpclient-users-archive@hc.apache.org Received: (qmail 65150 invoked by uid 500); 13 Aug 2014 20:56:17 -0000 Mailing-List: contact httpclient-users-help@hc.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "HttpClient User Discussion" Delivered-To: mailing list httpclient-users@hc.apache.org Received: (qmail 65138 invoked by uid 99); 13 Aug 2014 20:56:17 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 13 Aug 2014 20:56:17 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of kfung4cxf@gmail.com designates 209.85.213.41 as permitted sender) Received: from [209.85.213.41] (HELO mail-yh0-f41.google.com) (209.85.213.41) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 13 Aug 2014 20:56:13 +0000 Received: by mail-yh0-f41.google.com with SMTP id b6so315586yha.0 for ; Wed, 13 Aug 2014 13:55:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:content-type; bh=FjpAVIJvK4mRGSzzlOedu/btWxc9y/ob3rraKA/9xP8=; b=KtqoruDGkFlHL3x1uwDXmCVnQ+6dRN6XyTzb+up/SPwZZyBXNcO8hwTNxdnbTT89D3 Eo7mz+Aptb7CA5ekLzw+7Ca4atR9m/yDgko5B44yLKzwOcPlgDZaq8QpVoexvDzUaXKU Q+kopH3nCaVUkEVlXfgG7lamUs2EUrCLk+lmIDlOdMCEUwYAS3GXgWx7uTZaO3ePXqBC +vwLiqVIdSdHq0p2/fccPwTP13zO8m8FYL8PJozUNQ3tDpKQAOWV3mp9YweNPymB4OU3 wOQVSpiUTEzwxXA3FpBzUEUz2vZyHB5/qSf0vNebZE9MKYPQQSyNx5tuGLj4OShtBXvs rWYA== X-Received: by 10.236.85.10 with SMTP id t10mr10100179yhe.86.1407963352370; Wed, 13 Aug 2014 13:55:52 -0700 (PDT) MIME-Version: 1.0 Received: by 10.170.60.194 with HTTP; Wed, 13 Aug 2014 13:55:32 -0700 (PDT) From: K Fung Date: Wed, 13 Aug 2014 13:55:32 -0700 Message-ID: Subject: Supporting delegated credentials (ISC_REQ_DELEGATE) via ClientWinAuth in HttpClient 4.4 To: httpclient-users@hc.apache.org Content-Type: text/plain; charset=UTF-8 X-Virus-Checked: Checked by ClamAV on apache.org Hello, In WindowsNegotiateScheme.getToken(), would it be possible to change Sspi.ISC_REQ_CONNECTION to Sspi.ISC_REQ_CONNECTION | Sspi.ISC_REQ_DELEGATE? Would it be accepted as a bug? If you use this Wikipedia graphic as a reference, http://en.wikipedia.org/wiki/Kerberos_(protocol)#mediaviewer/File:Kerberos.svg, the current implementation in HttpClient 4.4alpha1 does the first (red) and last (green) steps but it doesn't do the middle one (middle). By adding this parameter, it won't skip out on the middle step (where the Windows LSA will ask the Windows domain controller to generate a ticket-granting-ticket for the requested service). Regards, kl --------------------------------------------------------------------- To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org For additional commands, e-mail: httpclient-users-help@hc.apache.org