[
https://issues.apache.org/jira/browse/HTTPCLIENT-1315?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13569863#comment-13569863
]
Karl Wright commented on HTTPCLIENT-1315:
-----------------------------------------
In preparation for reproducing this issue, I hand-unpacked the NTLM packets in
the working and non-working examples. There are effectively three differences:
(1) Flags; two fewer bits set in working Type 3 response (DOMAIN_PRESENT and
WORKSTATION_PRESENT are set in the unworking example)
(2) LM is all zeros in working Type 3 response, vs. calculated value in the
non-working one
(3) Blob in working Type 3 response has values added for field types 6,8,a,9.
The NTLM implementation from jcifs supposedly works, which does not include
blob modifications as described above. This argues for blob additions not
being material. Most likely, therefore, is that it's the flag differences that
are causing the problem. If I can readily reproduce the problem I can easily
try removing these flags to see what happens.
> NTLM or digest authentication using a local user on a domain host doesn't work
> ------------------------------------------------------------------------------
>
> Key: HTTPCLIENT-1315
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1315
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpAuth, HttpClient
> Affects Versions: 4.2.3
> Environment: using httpclient to connect to a Windows Server 2008 R2
> standard host running IIS 7.5
> Reporter: Mihai David
> Assignee: Karl Wright
> Priority: Minor
> Labels: NTLM, authentication, digest, domain, workgroup
> Attachments: browser login with local user.txt, digestlog.txt,
> httpclient login with local user.txt
>
>
> The default AuthScheme cannot authenticate local users if the host is
> included in a domain. Authetication with domain users or local users if the
> host is in a workgroup works fine.
> If using ntlm or digest authentication:
> - Authentication with a domain user works fine
> - Authentication with a local user if the host is in a workgroup works fine
> - Authentication with a local user (e.g. Administrator) if the host is in a
> domain returns 401 - Unauthorized. (Note: this works with JCIFS
> implementation)
> To reproduce:
> //using local user returns "401 - Unauthorized" if the host is part of a
> domain
> NTCredentials creds = new NTCredentials("Administrator", "password",
> "myworkstation", "HOSTNAME");
> //domain user works fine:
> //NTCredentials creds = new NTCredentials("USERNAME", "password",
> "myworkstation", "DOMAIN");
> DefaultHttpClient httpclient = new DefaultHttpClient();
> httpclient.getCredentialsProvider().setCredentials(AuthScope.ANY, creds);
> HttpHost target = new HttpHost("xx.xx.xx.xx", 81, "http");
> HttpContext localContext = new BasicHttpContext();
> HttpGet httpget = new HttpGet("/Orchestrator2012/Orchestrator.svc/Jobs");
> List<String> authpref = new ArrayList<String>();
> authpref.add(AuthPolicy.NTLM);
> httpclient.getParams().setParameter(AuthPNames.TARGET_AUTH_PREF, authpref);
> HttpResponse response1 = httpclient.execute(target, httpget, localContext);
> HttpEntity entity1 = response1.getEntity();
> The code works if I use jcifs-1.3.17 to create an NTLMEngine like in the
> example: http://hc.apache.org/httpcomponents-client-ga/ntlm.html
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
