hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Osipov <micha...@apache.org>
Subject Re: Can't connect to ntlmv2 webservice - NEGOTIATE authentication error
Date Wed, 20 May 2015 16:47:38 GMT
First, please do not top post!

Am 2015-05-20 um 13:50 schrieb Gerben:
> Thank you for your response. I have no control over the server, unfortunately.
>
> The test tool I used only succesfully connected using NTLM and not
> Kerberos. That's why I think the server only supports NTLM.
> So what I want is SPNEGO to negotiate NTLM, but that is not supported
> apparently. I didn't know that.
> I suspect that is the reason for the '"KrbException: Cannot locate
> default realm" warning.

That is actually an error your in Kerberos configuration.

> Is support for NTLMv2 as SPNEGO sub-mechanism planned in future
> versions? Or is there another java library that can do it?

There is nothing planned and never will for the following reasons:

1) NTLM (even v2) is outdated and deprecated by Microsoft
2) It is proprietary
3) Oracle will not add a GSS-API mechanism for that into the JDK/JRE due 
to the points above
4) We have no control over Oracle/IBM/$JVM_VENDOR or its JGSS implementation

If you still think, you want to use NTLM with SPNEGO, here are you options:

1) Write a JGSS mechanism plugin and hook it into JGSS
2) Use SSPI through JNA if you on Windows but this is absolutely not 
portable

My serious advise is:

Contact you customer, tell that that their Kerberos setup is broken. It 
is either a DNS problem or a missing SPN in the AD. Both can be fixed 
within 5 minutes.

Otherwise, you are out of luck.

Michael

> 2015-05-20 12:18 GMT+02:00 Michael Osipov <1983-01-06@gmx.net>:
>>> Hi,
>>>
>>> One of our customers is using a webservice we need to get data from.
>>> So far, we've been unsuccesful in doing that because of authentication
>>> errors. We can't seem to get past the NEGOTIATE phase of
>>> authentication using 4.4.1 of httpclient. We've also tried older
>>> versions of httpclient, the JCIFS library and a lot of variants of the
>>> script below, but it all had the same result. I'm not sure what we're
>>> doing wrong. The log shows a warning:
>>> 2015/05/20 09:10:08:867 CEST [WARN] HttpAuthenticator - NEGOTIATE
>>> authentication error: Invalid name provided (Mechanism level:
>>> KrbException: Cannot locate default realm)
>>>
>>> We can't seem get to rid of this warning. The webservice works fine
>>> when connecting to it using chrome webbrowser or a software tool
>>> called 'kerberos authentication tester'. We used 'kerberos
>>> authentication tester' to determine that the server is using NTLMv2
>>> authentication. Information about the server from the testtool are
>>> also found below.
>>>
>>
>> Hi,
>>
>> some stuff isn't straight. Let me get it:
>>
>> 1. Kerberos is not NTLM and vice versa
>> 2. You are mixing both
>> 3. You cannot test a service with Kerberos which does not accept those tokens
>>
>> You have configured HttpClient to use NTLM. The server advertises Negotiate,
>> HttpClient tries SPNEGO, you receive "KrbException: Cannot locate default realm".
>>
>>  From this, everything is correct.
>>
>> Figure out what you want?! SPNEGO to negotiate Kerberos or NTLM or just pure NTLM?
>>
>> If you want to perform NTLM only, configure your server to advertise:
>> WWW-Autenticate: NTLM
>>
>> JGSS does *not* support NTLM as SPNEGO sub-mechanism, so HttpClient never will.
>> If you want to perform Kerberos autentication via SPNEGO, fix your krb5.conf/ini.
>>
>> Michael
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
>> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org


Mime
View raw message