Max [to'ed],
Does this look familiar? Is it wrong for the server to be returning
"WWW-Authenticate: Negotiate" during NTLM handshake?
-Chris.
On 08/10/2011 14:41, Mario Ivankovits wrote:
Hi net-devs,
I hope you do not mind that I post to this list, but I hope I can
provide enough in-depth information about the problem to justify the
post here.
Accessing a “normal” ntlm protected resource – a simple index.html in an
protected directory on an IIS 7.5 server - the ntlm authentication works
fine.
However, trying to access the Microsoft Exchange 2010 webservice failes
with “401 Unauthorized”.
I used this few lines to debug the connection/authentication process
URL url = new URL("https://exchange/ews/Services.wsdl";);
byte[] buf = new byte[10240];
int read = url.openStream().read(buf);
System.err.println(new String(buf, 0, read));
This snipped works fine in java 1.6, but failes with an IOException
(http status 401) in java 1.7.
I found an interesting difference when accessing the “normal” web-page
and the exchange webservice.
When accessing the web-page, the server answers “WWW-Authenticate:
Negotiate” just after the first 401 response which triggers the
authentication process then. In contrast, when accessing the Exchange
webservice the “WWW-Authenticate: Negotiate” is sent during the
negotiation process too, which then triggers the inNegotiate flag in
sun.net.www.protocol.http.HttpURLConnection in getInputStream and let
the negotiation process fail.
If I hack the response values and change any subsequent Negotiate to
e.g. NegotiateXX, then the inNegotiate flag will not change and the
authentication process will finish and authentication finally works.
Here is the request/response cycle which fail then:
#1: {GET /ews/Services.wsdl HTTP/1.1: null}{User-Agent:
Java/1.7.0_02-ea}{Host: exchange }{Accept: text/html, image/gif,
image/jpeg, *; q=.2, */*; q=.2}{Connection: keep-alive}
#2: {null: HTTP/1.1 401 Unauthorized}{Server:
Microsoft-IIS/7.5}{WWW-Authenticate: Negotiate}{WWW-Authenticate:
NTLM}{X-Powered-By: ASP.NET}{Date: Sat, 08 Oct 2011 13:17:39
GMT}{Content-Length: 0}
#3: {GET /ews/Services.wsdl HTTP/1.1: null}{User-Agent:
Java/1.7.0_02-ea}{Host: exchange }{Accept: text/html, image/gif,
image/jpeg, *; q=.2, */*; q=.2}{Connection: keep-alive}{Authorization:
NTLM MY_NTLM_DATA}
#4: {null: HTTP/1.1 401 Unauthorized}{Server:
Microsoft-IIS/7.5}{WWW-Authenticate: NTLM
SERVER_NTLM_DATA}{WWW-Authenticate: Negotiate}{X-Powered-By:
ASP.NET}{Date: Sat, 08 Oct 2011 13:17:39 GMT}{Content-Length: 0}
Exception in thread "main" java.io.IOException: Server returned HTTP
response code: 401 for URL: https://exchange/ews/Services.wsdl
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1612)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
at java.net.URL.openStream(URL.java:1035)
Does this make sense to you?
It seems to me the “inNegotiate” handling needs a review as it does not
work in all cases.
I hope my informations are of any help to fix this issue.
Ciao,
Mario
