[ https://issues.apache.org/jira/browse/HTTPCLIENT-1545?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14168571#comment-14168571 ]
Ka-Lok Fung commented on HTTPCLIENT-1545: ----------------------------------------- There was a case in the original code where it was possible to get an infinite loop if {{InitializeSecurityContext}} returned an error (doesn't matter what error, I just chose {{SEC_E_DOWNGRADE_DETECTED}} because it happened in my environment). I fixed it and added this test case to make sure a regression for this error doesn't happen again. I agree that the SPN should be {{HTTP/example.com}}. However, before 1619373, it was using the provided service principle name (which in the default case through {{WinHttpClients}} would have been {{null}}) OR the username. While the MSDN documentation doesn't say that {{SEC_E_DOWNGRADE_DETECTED}} can be returned, it certainly happens in our testing. Our server based authentication provider only supports Kerberos and not NTLM; perhaps this is the cause for this error message. When this unit test was run by Oleg on his Windows machine, it didn't happen the {{SEC_E_DOWNGRADE_DETECTED}} didn't happen for him either. Hope this clarifies things. -kl > Possible infinite loop when WindowsNegotiateScheme authentication fails > ----------------------------------------------------------------------- > > Key: HTTPCLIENT-1545 > URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1545 > Project: HttpComponents HttpClient > Issue Type: Bug > Components: HttpClient > Affects Versions: 4.4 Alpha1 > Environment: Windows > Reporter: Ka-Lok Fung > Fix For: 4.4 Beta1 > > Attachments: HTTPCLIENT-1545.WinXP.diff, HTTPCLIENT-1545.patch.diff, > HTTPCLIENT-1545.v2.patch.diff > > > When {{WindowsNegotiateScheme}} authentication fails, it's possible for > HttpClient to retry the authentication in an endless loop because the > {{continueNeeded}} flag is not set to {{false}} when authentication fails. > One possible way of causing authentication to fail is to use a service > principle name that is outside your Windows domain (e.g., HTTP/EXAMPLE.COM). -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org For additional commands, e-mail: dev-h...@hc.apache.org