[
https://issues.apache.org/jira/browse/HTTPCLIENT-2170?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17401327#comment-17401327
]
Michael Osipov commented on HTTPCLIENT-2170:
--------------------------------------------
Something is wrong here because the client *is* sending NTLM Type 3 message to
the server, but it rejects it:
{noformat}
[Thread-6] DEBUG org.apache.hc.client5.http.wire - http-outgoing-1 >> "GET
/server/rest/services/CERT_Secured_Basemap/MapServer/tile/14/6541/2858
HTTP/1.1[\r][\n]"
[Thread-6] DEBUG org.apache.hc.client5.http.wire - http-outgoing-1 >> "Host:
localhost.com[\r][\n]"
[Thread-6] DEBUG org.apache.hc.client5.http.wire - http-outgoing-1 >>
"Connection: keep-alive[\r][\n]"
[Thread-6] DEBUG org.apache.hc.client5.http.wire - http-outgoing-1 >>
"User-Agent: test user agent[\r][\n]"
[Thread-6] DEBUG org.apache.hc.client5.http.wire - http-outgoing-1 >>
"Authorization: NTLM
TlRMTVNTUAADAAAAGAAYAEgAAADCAMIAYAAAAAAAAAAiAQAAEAAQACIBAAAUABQAMgEAAAAAAABGAQAABYKJogUBKAoAAAAP1NEOXrHPMxp6e8sOzeBFpMBBdy4uso7ZBbAfEpAnEWQKHzTKZXTWgwEBAAAAAAAAEIedSGWU1wFlVSW3du4uXAAAAAACAA4AQQBWAFcATwBSAEwARAABABQARABFAFYAMAAwADAANAA0ADAANAAEABAAZQBzAHIAaQAuAGMAbwBtAAMAJgBEAGUAdgAwADAAMAA0ADQAMAA0AC4AZQBzAHIAaQAuAGMAbwBtAAUAFgBlAG0AcAB0AHkALgBsAG8AYwBhAGwABwAIABKVEUhllNcBAAAAAAAAAABhAHAAcABzADAAMAAwADEARABFAFYAMAAwADAANAA0ADAANAA=[\r][\n]"
[Thread-6] DEBUG org.apache.hc.client5.http.wire - http-outgoing-1 >> "[\r][\n]"
<------[Thread-6] 401 :401 Unauthorized HTTP/1.1
[Thread-6] DEBUG org.apache.hc.client5.http.wire - http-outgoing-1 << "HTTP/1.1
401 Unauthorized[\r][\n]"
[Thread-6] DEBUG org.apache.hc.client5.http.wire - http-outgoing-1 <<
"Content-Type: text/html[\r][\n]"
[Thread-6] DEBUG org.apache.hc.client5.http.wire - http-outgoing-1 << "Server:
Microsoft-IIS/10.0[\r][\n]"
[Thread-6] DEBUG org.apache.hc.client5.http.wire - http-outgoing-1 <<
"WWW-Authenticate: Negotiate[\r][\n]"
[Thread-6] DEBUG org.apache.hc.client5.http.wire - http-outgoing-1 <<
"WWW-Authenticate: NTLM[\r][\n]"
[Thread-6] DEBUG org.apache.hc.client5.http.wire - http-outgoing-1 <<
"X-Powered-By: ASP.NET[\r][\n]"
[Thread-6] DEBUG org.apache.hc.client5.http.wire - http-outgoing-1 << "Date:
Wed, 18 Aug 2021 19:14:35 GMT[\r][\n]"
[Thread-6] DEBUG org.apache.hc.client5.http.wire - http-outgoing-1 <<
"Content-Length: 1293[\r][\n]"
[Thread-6] DEBUG org.apache.hc.client5.http.wire - http-outgoing-1 << "[\r][\n]"
{noformat}
Either the token is truly incorrect. Check the server event log OR there is a
concurrency issue where authenticators are shared (interleaved) between threads
which shouldn't.
> NTLM Authentication not working when sending multiple request concurrently
> --------------------------------------------------------------------------
>
> Key: HTTPCLIENT-2170
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2170
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient (classic)
> Affects Versions: 5.0.4, 5.1
> Environment: Java 1.8 and Android
> Reporter: Erick
> Priority: Minor
> Labels: 5.04, 5.1, NTLM, http-client
> Attachments: NTLMTestSample.zip, NTLM_logs.txt
>
>
> We migrated our apache version from 4.5.x to 5.0.4 and we have encountered an
> authentication error using NTLM.
> We are making multiple requests in different threads to a NTLM secured server
> concurrently such as:
> {code:java}
> private fun test_Standalone() { val username = "username" val password
> = "password" val serverName = "localhost"
> val requestUrls = arrayOf(
> "https://${serverName}/server/rest/services/CERT_Secured_Basemap/MapServer/tile/0/0/0";,
>
> "https://${serverName}/server/rest/services/CERT_Secured_Basemap/MapServer/tile/63/0/0";,
>
> "https://${serverName}/server/rest/services/CERT_Secured_Basemap/MapServer/tile/16/26166/11433";,
>
> "https://${serverName}/server/rest/services/CERT_Secured_Basemap/MapServer/tile/15/13083/5716";,
>
> "https://${serverName}/server/rest/services/CERT_Secured_Basemap/MapServer/tile/1/0/0";,
>
> "https://${serverName}/server/rest/services/CERT_Secured_Basemap/MapServer/tile/16/26166/11432";,
>
> "https://${serverName}/server/rest/services/CERT_Secured_Basemap/MapServer/tile/14/6541/2858";,
>
> "https://${serverName}/server/rest/services/CERT_Secured_Basemap/MapServer/tile/15/13082/5716";,
>
> "https://${serverName}/server/rest/services/CERT_Secured_Basemap/MapServer/tile/15/13083/5715";,
>
> "https://${serverName}/server/rest/services/CERT_Secured_Basemap/MapServer/tile/16/26166/11431";,
>
> "https://${serverName}/server/rest/services/CERT_Secured_Basemap/MapServer/tile/15/13082/5715";,
>
> "https://${serverName}/server/rest/services/CERT_Secured_Basemap/MapServer/tile/14/6541/2857";,
>
> "https://${serverName}/server/rest/services/CERT_Secured_Basemap/MapServer/tile/16/26165/11434";,
>
> "https://${serverName}/server/rest/services/CERT_Secured_Basemap/MapServer/tile/15/13082/5717";
> )
> for(url in requestUrls) { makeRequestAsync(url, username,
> password) }}
> {code}
> Some of the data request succeed but others fail with a *401 Unauthorized.*
> **the output looks something like this:
>
> {code:java}
> <------[Thread-7] 401 :401 Unauthorized HTTP/1.1
> <------[Thread-1] 401 :401 Unauthorized HTTP/1.1
> <------[Thread-4] 401 :401 Unauthorized HTTP/1.1
> <------[Thread-6] 401 :401 Unauthorized HTTP/1.1
> <------[Thread-3] 401 :401 Unauthorized HTTP/1.1
> <------[Thread-10] 401 :401 Unauthorized HTTP/1.1
> <------[Thread-2] 401 :401 Unauthorized HTTP/1.1
> <------[Thread-9] 401 :401 Unauthorized HTTP/1.1
> <------[Thread-13] 401 :401 Unauthorized HTTP/1.1
> <------[Thread-12] 401 :401 Unauthorized HTTP/1.1
> <------[Thread-0] 401 :401 Unauthorized HTTP/1.1
> <------[Thread-11] 401 :401 Unauthorized HTTP/1.1
> <------[Thread-5] 401 :401 Unauthorized HTTP/1.1
> <------[Thread-8] 200 :200 OK HTTP/1.1
> {code}
>
> Looking at the logs, it seems that the NTLM handshake fails for some request
> **We found that by synchronizing the method
> [ProtocolExec.execute()|https://github.com/apache/httpcomponents-client/blob/5.0.x/httpclient5/src/main/java/org/apache/hc/client5/http/impl/classic/ProtocolExec.java#L103],
> all the NTLM authentication requests succeed and we are able to fetch the
> data successfully.
>
> Attached is the repro java project that we are using.
> The project only needs an NTLM server and credentials to run.
>
> We tested version 5.1 and it was also reproducible.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
