[prev in list] [next in list] [prev in thread] [next in thread]
List: httpclient-commons-dev
Subject: RE: NTLM authentication problem
From: "Xavier Frisaye" <x.frisaye () t4hr ! com>
Date: 2004-05-27 11:57:20
Message-ID: F30C4A630DDBEF43A98A803ABCF67164091761 () coko ! t4hr ! com
[Download RAW message or body]
Hi,
You could try this when setting the credentials, specify the hostname parameter :
client.getState().setCredentials( null, hostname, credentials );
client.getState().setAuthenticationPreemptive( true );
I use HttpClient with Slide project to connect to Exchange server in webdav and this \
code seems to work perfectly.
Regards
Xavier Frisaye
-----Original Message-----
From: Fuhrmann, Hauke [mailto:Hauke.Fuhrmann@airbus.com]
Sent: mercredi 26 mai 2004 11:44
To: 'Commons HttpClient Project'
Subject: AW: NTLM authentication problem
Hi there,
I'm kinda frustrated here. Not your fault at all, frustrated about MS
support, cause there isn't any. I'm trying it here again, maybe here are
any IIS pros who can give me a little hint:
Can I tell the IIS to give me more info in the logfile anyhow? Need info
about why the authentification process failed.
Greetings,
Hauke Fuhrmann
Airbus Deutschland GmbH
ECYA3 - Cabin Communication Systems & Application
Kreetslag 10
21129 Hamburg, Germany
Phone: +49 (0) 40 743 - 88260
Mail: hauke.fuhrmann@airbus.com
> -----Ursprüngliche Nachricht-----
> Von: Kalnichevski, Oleg [mailto:oleg.kalnichevski@bearingpoint.com]
> Gesendet: Montag, 3. Mai 2004 16:32
> An: Commons HttpClient Project
> Betreff: RE: NTLM authentication problem
>
>
>
> Hauke,
> NTLM problems are notoriously difficult to troubleshoot.
> Usually it all boils down to extensive guesswork.
> (1) is user name in the fully-qualified format:
> <domain>/<account>? If yes, use the account name only
> (2) do you have any 'funny' characters in the password (like
> German umlauts, for instance)? If yes, try using an account
> with plain US-ASCII password
>
> Oleg
>
> -----Original Message-----
> From: Fuhrmann, Hauke [mailto:Hauke.Fuhrmann@airbus.com]
> Sent: Monday, May 03, 2004 16:11
> To: 'commons-httpclient-dev@jakarta.apache.org'
> Subject: NTLM authentication problem
>
>
> Hi there,
>
> I hope you can help me with a little problem I got:
>
> I have to download a file from a MS IIS webserver which uses NTLM
> authentification. The only client I performed a successful
> download with is
> MS IE. But I have to use a Java client, so I tried the jakarta commons
> httpclient. I implemented a test class which sets the correct
> NTCredentials
> and performs the request. The source looks somehow like this:
>
> String url = "http://host/index.html";
> NTCredentials creds =
> new NTCredentials(
> "username",
> "password",
> "hostname",
> "domain");
> HttpClient client = new HttpClient();
> HttpMethod method = new GetMethod(url);
> client.getState().setCredentials(null, null, creds);
>
> where 'username', 'password', 'hostname' and 'domain' are
> changed with the
> correct values for the server.
> After running
> int statusCode = client.executeMethod(method);
> I get the following logfile output:
>
> ---------------------------------------
>
> [DEBUG] HttpClient - -Java version: 1.4.2
> [DEBUG] HttpClient - -Java vendor: Sun Microsystems Inc.
> [DEBUG] HttpClient - -Operating system name: Windows 2000
> [DEBUG] HttpClient - -Operating system architecture: x86
> [DEBUG] HttpClient - -Operating system version: 5.0
> [DEBUG] HttpClient - -SUN 1.42: SUN (DSA key/parameter generation; DSA
> signing; SHA-1, MD5 digests; SecureRandom; X.509 certificates; JKS
> keystore; PKIX CertPathValidator; PKIX CertPathBuilder; LDAP,
> Collection
> CertStores)
> [DEBUG] HttpClient - -SunJSSE 1.42: Sun JSSE provider(implements RSA
> Signatures, PKCS12, SunX509 key/trust factories, SSLv3, TLSv1)
> [DEBUG] HttpClient - -SunRsaSign 1.42: SUN's provider for RSA
> signatures
> [DEBUG] HttpClient - -SunJCE 1.42: SunJCE Provider
> (implements DES, Triple
> DES, AES, Blowfish, PBE, Diffie-Hellman, HMAC-MD5, HMAC-SHA1)
> [DEBUG] HttpClient - -SunJGSS 1.0: Sun (Kerberos v5)
> [DEBUG] HttpConnection - -HttpConnection.setSoTimeout(0)
> [DEBUG] HttpMethodBase - -Execute loop try 1
> [DEBUG] wire - ->> "GET /index.html HTTP/1.1[\r][\n]"
> [DEBUG] HttpMethodBase - -Adding Host request header
> [DEBUG] wire - ->> "User-Agent: Jakarta
> Commons-HttpClient/2.0final[\r][\n]"
> [DEBUG] wire - ->> "Host: host[\r][\n]"
> [DEBUG] wire - ->> "[\r][\n]"
> [DEBUG] wire - -<< "HTTP/1.1 401 Access Denied[\r][\n]"
> [DEBUG] wire - -<< "Server: Microsoft-IIS/5.0[\r][\n]"
> [DEBUG] wire - -<< "Date: Mon, 03 May 2004 12:47:03 GMT[\r][\n]"
> [DEBUG] wire - -<< "WWW-Authenticate: Negotiate[\r][\n]"
> [DEBUG] wire - -<< "WWW-Authenticate: NTLM[\r][\n]"
> [DEBUG] wire - -<< "Connection: close[\r][\n]"
> [DEBUG] wire - -<< "Content-Length: 24[\r][\n]"
> [DEBUG] wire - -<< "Content-Type: text/html[\r][\n]"
> [DEBUG] HttpMethodBase - -Authorization required
> [DEBUG] HttpAuthenticator - -Authenticating with the default
> authentication
> realm at host
> [DEBUG] HttpMethodBase - -HttpMethodBase.execute(): Server demanded
> authentication credentials, will try again.
> [DEBUG] wire - -<< "Error: Access is Denied."
> [DEBUG] HttpMethodBase - -Should close connection in response to
> Connection: close
>
> [DEBUG] HttpMethodBase - -Execute loop try 2
> [DEBUG] HttpMethodBase - -Opening the connection.
> [DEBUG] wire - ->> "GET /index.html HTTP/1.1[\r][\n]"
> [DEBUG] HttpMethodBase - -Request to add Host header ignored: header
> already added
> [DEBUG] wire - ->> "User-Agent: Jakarta
> Commons-HttpClient/2.0final[\r][\n]"
> [DEBUG] wire - ->> "Host: host[\r][\n]"
> [DEBUG] wire - ->> "Authorization: NTLM
> TlRMTVNTUAABAAAABlIAABgAGAAoAAAACAAIACAAAABEMDE1Nzc4MkFGSVMuUk
> 9DS1dFTExDT0x
> MSU5TLkNPTQ==[\r][\n]"
> [DEBUG] wire - ->> "[\r][\n]"
> [DEBUG] wire - -<< "HTTP/1.1 401 Access Denied[\r][\n]"
> [DEBUG] wire - -<< "Server: Microsoft-IIS/5.0[\r][\n]"
> [DEBUG] wire - -<< "Date: Mon, 03 May 2004 12:47:03 GMT[\r][\n]"
> [DEBUG] wire - -<< "WWW-Authenticate: NTLM
> TlRMTVNTUAACAAAABAAEADAAAAAGAoEAfy2cSecyuJ8AAAAAAAAAAI4AjgA0AA
> AAQUZJUwIACAB
> BAEYASQBTAAEACABBAE4AUwBVAAQAMABhAGYAaQBzAC4AcgBvAGMAawB3AGUAb
> ABsAGMAbwBsAG
> wAaQBuAHMALgBjAG8AbQADADoAYQBuAHMAdQAuAGEAZgBpAHMALgByAG8AYwBr
> AHcAZQBsAGwAY
> wBvAGwAbABpAG4AcwAuAGMAbwBtAAAAAAA=[\r][\n]"
> [DEBUG] wire - -<< "Content-Length: 24[\r][\n]"
> [DEBUG] wire - -<< "Content-Type: text/html[\r][\n]"
> [DEBUG] HttpMethodBase - -Authorization required
> [DEBUG] HttpAuthenticator - -Authenticating with the default
> authentication
> realm at host
> [DEBUG] HttpMethodBase - -HttpMethodBase.execute(): Server demanded
> authentication credentials, will try again.
> [DEBUG] wire - -<< "Error: Access is Denied."
> [DEBUG] HttpMethodBase - -Resorting to protocol version default close
> connection policy
> [DEBUG] HttpMethodBase - -Should NOT close connection, using HTTP/1.1.
> [DEBUG] HttpMethodBase - -Execute loop try 3
> [DEBUG] wire - ->> "GET /index.html HTTP/1.1[\r][\n]"
> [DEBUG] HttpMethodBase - -Request to add Host header ignored: header
> already added
> [DEBUG] wire - ->> "User-Agent: Jakarta
> Commons-HttpClient/2.0final[\r][\n]"
> [DEBUG] wire - ->> "Host: host[\r][\n]"
> [DEBUG] wire - ->> "Authorization: NTLM
> TlRMTVNTUAADAAAAGAAYAGkAAAAAAAAAgQAAABgAGABAAAAACQAJAFgAAAAIAA
> gAYQAAAAAAAAC
> BAAAABlIAAEFGSVMuUk9DS1dFTExDT0xMSU5TLkNPTVJPT1RBRE1JTkQwMTU3N
> zgyJGvqRAbUDM
> au2Xvs7/czsCLtV0s5fmPn[\r][\n]"
> [DEBUG] wire - ->> "[\r][\n]"
> [DEBUG] wire - -<< "HTTP/1.1 401 Access Denied[\r][\n]"
> [DEBUG] wire - -<< "Server: Microsoft-IIS/5.0[\r][\n]"
> [DEBUG] wire - -<< "Date: Mon, 03 May 2004 12:47:05 GMT[\r][\n]"
> [DEBUG] wire - -<< "WWW-Authenticate: Negotiate[\r][\n]"
> [DEBUG] wire - -<< "WWW-Authenticate: NTLM[\r][\n]"
> [DEBUG] wire - -<< "Connection: close[\r][\n]"
> [DEBUG] wire - -<< "Content-Length: 24[\r][\n]"
> [DEBUG] wire - -<< "Content-Type: text/html[\r][\n]"
> [DEBUG] HttpMethodBase - -Authorization required
> [INFO] HttpMethodBase - -Already tried to authenticate with 'null'
> authentication realm at ansu, but still receiving: HTTP/1.1 401 Access
> Denied
> [DEBUG] HttpMethodBase - -Buffering response body
> [DEBUG] wire - -<< "Error: Access is Denied."
> [DEBUG] HttpMethodBase - -Should close connection in response to
> Connection: close
>
> Error: Access is Denied.
>
> --------------------------------------------------------------
> -------------
> ----------------
>
> So after the handshake the authentification was not
> successful. What went
> wrong? I cannot see too much in that NTLM message, but in
> comparison to the
> messages the MS IE sends they look a bit different. I logged
> the traffic
> the MS IE does and it looks like this:
>
> --------------------------------------------------------------
> -------------
> -----------------
>
> GET /index.html HTTP/1.1
> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
> application/vnd.ms-powerpoint, application/vnd.ms-excel,
> application/msword, application/x-shockwave-flash, */*
> Accept-Language: de
> Accept-Encoding: gzip, deflate
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
> 5.0; H010818)
> Host: host
> Connection: Keep-Alive
> Authorization: NTLM TlRMTVNTUAABAAAAB4IIoAAAAAAAAAAAAAAAAAAAAAA=
>
> HTTP/1.1 401 Access Denied
> Server: Microsoft-IIS/5.0
> Date: Mon, 03 May 2004 12:43:27 GMT
> WWW-Authenticate: NTLM
> TlRMTVNTUAACAAAACAAIADAAAAAFgomgUZrE0tSyEkwAAAAAAAAAAI4AjgA4AA
> AAQQBGAEkAUwA
> CAAgAQQBGAEkAUwABAAgAQQBOAFMAVQAEADAAYQBmAGkAcwAuAHIAbwBjAGsAd
> wBlAGwAbABjAG
> 8AbABsAGkAbgBzAC4AYwBvAG0AAwA6AGEAbgBzAHUALgBhAGYAaQBzAC4AcgBv
> AGMAawB3AGUAb
> ABsAGMAbwBsAGwAaQBuAHMALgBjAG8AbQAAAAAA
> Content-Length: 24
> Content-Type: text/html
>
> Error: Access is Denied.
>
> GET /index.html HTTP/1.1
> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
> application/vnd.ms-powerpoint, application/vnd.ms-excel,
> application/msword, application/x-shockwave-flash, */*
> Accept-Language: de
> Accept-Encoding: gzip, deflate
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
> 5.0; H010818)
> Host: host
> Connection: Keep-Alive
> Authorization: NTLM
> TlRMTVNTUAADAAAAGAAYAJIAAAC+AL4AqgAAADAAMABAAAAAEgASAHAAAAAQAB
> AAggAAAAAAAAB
> oAQAABYKIoGEAZgBpAHMALgByAG8AYwBrAHcAZQBsAGwAYwBvAGwAbABpAG4Ac
> wAuAGMAbwBtAH
> IAbwBvAHQAYQBkAG0AaQBuAEQAMAAxADUANwA3ADgAMgAFd79T6lFtE0X9Kr8E
> zRokwS2McGRle
> u2ElDAdnU93j14Z3czOQSPUAQEAAAAAAAAwrDw7DDHEAcEtjHBkZXrtAAAAAAI
> ACABBAEYASQBT
> AAEACABBAE4AUwBVAAQAMABhAGYAaQBzAC4AcgBvAGMAawB3AGUAbABsAGMAbw
> BsAGwAaQBuAHM
> ALgBjAG8AbQADADoAYQBuAHMAdQAuAGEAZgBpAHMALgByAG8AYwBrAHcAZQBsA
> GwAYwBvAGwAbA
> BpAG4AcwAuAGMAbwBtAAAAAAAAAAAA
>
> HTTP/1.1 200 OK
> Server: Microsoft-IIS/5.0
> Cache-Control: no-cache
> Expires: Mon, 03 May 2004 12:43:27 GMT
> Date: Mon, 03 May 2004 12:43:27 GMT
> Content-Type: text/xml
> Accept-Ranges: bytes
> Last-Modified: Mon, 03 May 2004 12:43:22 GMT
> ETag: "90c5c38c31c41:8b0"
> Content-Length: 62746
>
> [...]
>
> --------------------------------------------------------------
> -------------
> ----------
>
> As you see the second message from the MS IE client is much
> longer than the
> second message of the jakarta httpclient. Does it submit any extra
> information needed by the NTLM algorithm? Is this a bug or any other
> setting I forgot to set? Can anybody help? Any help would be
> appreciated.
> Thanks a lot.
>
>
>
> Hauke Fuhrmann
>
> Airbus Deutschland GmbH
> ECYA3 - Cabin Communication Systems & Application
> Kreetslag 10
> 21129 Hamburg, Germany
>
> Phone: +49 (0) 40 743 - 88260
> Mail: hauke.fuhrmann@airbus.com
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> commons-httpclient-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail:
> commons-httpclient-dev-help@jakarta.apache.org
>
>
> **************************************************************
> *************************************
> The information in this email is confidential and may be
> legally privileged. Access to this email by anyone other
> than the intended addressee is unauthorized. If you are not
> the intended recipient of this message, any review,
> disclosure, copying, distribution, retention, or any action
> taken or omitted to be taken in reliance on it is prohibited
> and may be unlawful. If you are not the intended recipient,
> please reply to or forward a copy of this message to the
> sender and delete the message, any attachments, and any
> copies thereof from your system.
> **************************************************************
> *************************************
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> commons-httpclient-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail:
> commons-httpclient-dev-help@jakarta.apache.org
>
>
> This mail has originated outside your organization,
> either from an external partner or the Global Internet.
> Keep this in mind if you answer this message.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic