[jira] [Commented] (HTTPCLIENT-1545) Possible infinite loop when WindowsNegotiateScheme authentication fails

Sat, 11 Oct 2014 04:49:57 -0700 

    [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-1545?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14168107#comment-14168107
 ] 

Michael Osipov commented on HTTPCLIENT-1545:
--------------------------------------------

[~kfung], while this patch makes it work on Windows XP I am confused by the 
entire test.
First of all, the SPN should be {{HTTP/example.com}}. This is a hostname, not a 
realm. Second, when does {{InitializeSecurityContext}} ever return 
{{SEC_E_DOWNGRADE_DETECTED}}? This isn't documented in MSDN. It simply does not 
make sends with SPNEGO. It will automatically downgrade from Kerberos to NTLM 
if Kerberos is not possible. I just wrote a simple C program on my Windows XP 
box. Acquired Negotiate cred handle, intiated context for {{HTTP/example.com}} 
and received NTLM type 1 token.

I can of course retry this at work with Windows in our forest environment but 
the result should be the same.

> Possible infinite loop when WindowsNegotiateScheme authentication fails
> -----------------------------------------------------------------------
>
>                 Key: HTTPCLIENT-1545
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1545
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient
>    Affects Versions: 4.4 Alpha1
>         Environment: Windows
>            Reporter: Ka-Lok Fung
>             Fix For: 4.4 Beta1
>
>         Attachments: HTTPCLIENT-1545.WinXP.diff, HTTPCLIENT-1545.patch.diff, 
> HTTPCLIENT-1545.v2.patch.diff
>
>
> When {{WindowsNegotiateScheme}} authentication fails, it's possible for 
> HttpClient to retry the authentication in an endless loop because the 
> {{continueNeeded}} flag is not set to {{false}} when authentication fails.
> One possible way of causing authentication to fail is to use a service 
> principle name that is outside your Windows domain (e.g., HTTP/EXAMPLE.COM).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org

Reply via email to