hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Osipov" <1983-01...@gmx.net>
Subject Re: Can't connect to ntlmv2 webservice - NEGOTIATE authentication error
Date Wed, 20 May 2015 10:18:33 GMT
> Hi,
> 
> One of our customers is using a webservice we need to get data from.
> So far, we've been unsuccesful in doing that because of authentication
> errors. We can't seem to get past the NEGOTIATE phase of
> authentication using 4.4.1 of httpclient. We've also tried older
> versions of httpclient, the JCIFS library and a lot of variants of the
> script below, but it all had the same result. I'm not sure what we're
> doing wrong. The log shows a warning:
> 2015/05/20 09:10:08:867 CEST [WARN] HttpAuthenticator - NEGOTIATE
> authentication error: Invalid name provided (Mechanism level:
> KrbException: Cannot locate default realm)
> 
> We can't seem get to rid of this warning. The webservice works fine
> when connecting to it using chrome webbrowser or a software tool
> called 'kerberos authentication tester'. We used 'kerberos
> authentication tester' to determine that the server is using NTLMv2
> authentication. Information about the server from the testtool are
> also found below.
> 

Hi,

some stuff isn't straight. Let me get it:

1. Kerberos is not NTLM and vice versa
2. You are mixing both
3. You cannot test a service with Kerberos which does not accept those tokens

You have configured HttpClient to use NTLM. The server advertises Negotiate,
HttpClient tries SPNEGO, you receive "KrbException: Cannot locate default realm".

>From this, everything is correct.

Figure out what you want?! SPNEGO to negotiate Kerberos or NTLM or just pure NTLM?

If you want to perform NTLM only, configure your server to advertise:
WWW-Autenticate: NTLM

JGSS does *not* support NTLM as SPNEGO sub-mechanism, so HttpClient never will.
If you want to perform Kerberos autentication via SPNEGO, fix your krb5.conf/ini.

Michael

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org


Mime
View raw message