[
https://issues.apache.org/jira/browse/HTTPCLIENT-1545?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14168107#comment-14168107
]
Sebb edited comment on HTTPCLIENT-1545 at 10/11/14 12:55 PM:
-------------------------------------------------------------
[~kfung], while this patch makes it work on Windows XP I am confused by the
entire test.
First of all, the SPN should be {{HTTP/example.com}}. This is a hostname, not a
realm. Second, when does {{InitializeSecurityContext}} ever return
{{SEC_E_DOWNGRADE_DETECTED}}? This isn't documented in MSDN. It simply does not
make sense with SPNEGO. It will automatically downgrade from Kerberos to NTLM
if Kerberos is not possible. I just wrote a simple C program on my Windows XP
box. Acquired Negotiate cred handle, intiated context for {{HTTP/example.com}}
and received NTLM type 1 token.
I can of course retry this at work with Windows 7 in our forest environment but
the result should be the same.
was (Author: michael-o):
[~kfung], while this patch makes it work on Windows XP I am confused by the
entire test.
First of all, the SPN should be {{HTTP/example.com}}. This is a hostname, not a
realm. Second, when does {{InitializeSecurityContext}} ever return
{{SEC_E_DOWNGRADE_DETECTED}}? This isn't documented in MSDN. It simply does not
make sends with SPNEGO. It will automatically downgrade from Kerberos to NTLM
if Kerberos is not possible. I just wrote a simple C program on my Windows XP
box. Acquired Negotiate cred handle, intiated context for {{HTTP/example.com}}
and received NTLM type 1 token.
I can of course retry this at work with Windows 7 in our forest environment but
the result should be the same.
> Possible infinite loop when WindowsNegotiateScheme authentication fails
> -----------------------------------------------------------------------
>
> Key: HTTPCLIENT-1545
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1545
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient
> Affects Versions: 4.4 Alpha1
> Environment: Windows
> Reporter: Ka-Lok Fung
> Fix For: 4.4 Beta1
>
> Attachments: HTTPCLIENT-1545.WinXP.diff, HTTPCLIENT-1545.patch.diff,
> HTTPCLIENT-1545.v2.patch.diff
>
>
> When {{WindowsNegotiateScheme}} authentication fails, it's possible for
> HttpClient to retry the authentication in an endless loop because the
> {{continueNeeded}} flag is not set to {{false}} when authentication fails.
> One possible way of causing authentication to fail is to use a service
> principle name that is outside your Windows domain (e.g., HTTP/EXAMPLE.COM).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
