[jira] [Commented] (HTTPCLIENT-1545) Possible infinite loop when WindowsNegotiateScheme authentication fails

Sun, 12 Oct 2014 01:46:25 -0700 

    [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-1545?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14168571#comment-14168571
 ] 

Ka-Lok Fung commented on HTTPCLIENT-1545:
-----------------------------------------

There was a case in the original code where it was possible to get an infinite 
loop if {{InitializeSecurityContext}} returned an error (doesn't matter what 
error, I just chose {{SEC_E_DOWNGRADE_DETECTED}} because it happened in my 
environment). I fixed it and added this test case to make sure a regression for 
this error doesn't happen again.

I agree that the SPN should be {{HTTP/example.com}}. However, before 1619373, 
it was using the provided service principle name (which in the default case 
through {{WinHttpClients}} would have been {{null}}) OR the username.

While the MSDN documentation doesn't say that {{SEC_E_DOWNGRADE_DETECTED}} can 
be returned, it certainly happens in our testing. Our server based 
authentication provider only supports Kerberos and not NTLM; perhaps this is 
the cause for this error message. When this unit test was run by Oleg on his 
Windows machine, it didn't happen the {{SEC_E_DOWNGRADE_DETECTED}} didn't 
happen for him either.

Hope this clarifies things.

-kl

> Possible infinite loop when WindowsNegotiateScheme authentication fails
> -----------------------------------------------------------------------
>
>                 Key: HTTPCLIENT-1545
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1545
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient
>    Affects Versions: 4.4 Alpha1
>         Environment: Windows
>            Reporter: Ka-Lok Fung
>             Fix For: 4.4 Beta1
>
>         Attachments: HTTPCLIENT-1545.WinXP.diff, HTTPCLIENT-1545.patch.diff, 
> HTTPCLIENT-1545.v2.patch.diff
>
>
> When {{WindowsNegotiateScheme}} authentication fails, it's possible for 
> HttpClient to retry the authentication in an endless loop because the 
> {{continueNeeded}} flag is not set to {{false}} when authentication fails.
> One possible way of causing authentication to fail is to use a service 
> principle name that is outside your Windows domain (e.g., HTTP/EXAMPLE.COM).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to