Re: NTLM Authentication fails
Dear HttpClient Users Group, Finally I managed to make NTLM Authentication to work correctly using only HttpClient API. The root cause why it did not work was in method NTLMScheme.authenticate() hiding the real problem with ClassCastException. try { ntcredentials = (NTCredentials) credentials; } catch (final ClassCastException e) { throw new InvalidCredentialsException( "Credentials cannot be used for NTLM authentication: " + credentials.getClass().getName()); } Since I used Wrapper for the NTCredentials, my WrapperCredentials was not instance of NTCredentials. Therefore, the issue has been resolved, but I would recommend not to hide the real problem or to make the message more precise or to change API accepting only NTCredentials in case of NTLM authentication. Best regards, Kirill On Wed, Jul 17, 2019 at 1:31 PM Oleg Kalnichevski wrote: > On Tue, 2019-07-16 at 16:21 +0200, Kirill wrote: > > Dear HtpClient Users Group, > > > > > > Is it possible to make NTLM Authentication using only HttpClient > > library > > (without htppclient-win library) which will be working independently > > on > > whether it is running on Windows or Linux? > > > > Of course, it is. It is the default mode of operation supported by > HttpClient and recommended by the project. > > Cheers > > Oleg > > > Best regards, > > Kirill > > > > > > > > *Von:* Oleg Kalnichevski > > > > *Gesendet:* Mittwoch, 10. Juli 2019 15:49 > > *An:* HttpClient User Discussion > > *Betreff:* Re: NTLM Authentication fails > > > > > > > > On Mon, 2019-07-08 at 09:27 +, Kirill wrote: > > > Dear HttpClient Support List, > > > > > > I found out that when trying to make NTLM Authentication using > > > httpclient-win-4.5.6.jar library it relies on > > > CurrentWindowsCredentials instead of using credentials provided in > > > WindowsCredentialsProvider which it seems to be incorrect for the > > > case when web-container (Tomcat in my case) is running as a service > > > under another "Local System" user on Windows machine. It retrieves > > > incorrect username which is not authorized to pass NTLM > > > authentication and gets 401 Unauthorized Error. Besides, if web > > > container (Tomcat in my case) is running inside Docker Linux > > > Container it does not work at all because the user specified inside > > > Docker Container is completely different from the Windows one. I > > > suppose that in WindowsNegotiateScheme.authenticate() method the > > > below implementation should not rely on CurrentWindowsCredentials > > > and > > > throw Exception but have to use the Credentials specified in > > > WindowsCredentialsProvider. > > > > > > if (clientCred == null) { > > > // ?? We don't use the credentials, should we allow anything? > > > if (!(credentials instanceof CurrentWindowsCredentials)) { > > > throw new InvalidCredentialsException( > > > "Credentials cannot be used for " + getSchemeName() + " > > > authentication: " > > > + credentials.getClass().getName()); > > > } > > > > > > > > > Also WindowsCredentialsProvider should not use instance of > > > CurrentWindowsCredentials in case of AuthSchemes.NTLM but use > > > provider.getCredentials(authscope) one: > > > > > > public Credentials getCredentials(final AuthScope authscope) { > > > final String scheme = authscope.getScheme(); > > > if (AuthSchemes.NTLM.equalsIgnoreCase(scheme) || > > > AuthSchemes.SPNEGO.equalsIgnoreCase(scheme)) { > > > return CurrentWindowsCredentials.INSTANCE; > > > } else { > > > return provider.getCredentials(authscope); > > > } > > > } > > > > > > Besides, if user provides the credentials of another user which is > > > different from the user logged in to Windows system, httpclient-win > > > API should not try to get information about currently logged user > > > via > > > CurrentWindowsCredentials class but has to use those credentials > > > provided in WindowsCredentialsProvider if there are provided. If > > > the > > > credentials are not provided, then probably makes sense to get user > > > using CurrentWindowsCredentials. > > > > > > Here is the code snippet how NTLM authentication was used in my > > > case > > > via httpclient-4.4.0.jar and httpclient-win-4.5.6.jar libraries: > > > &
Re: NTLM Authentication fails
On Tue, 2019-07-16 at 16:21 +0200, Kirill wrote: > Dear HtpClient Users Group, > > > Is it possible to make NTLM Authentication using only HttpClient > library > (without htppclient-win library) which will be working independently > on > whether it is running on Windows or Linux? > Of course, it is. It is the default mode of operation supported by HttpClient and recommended by the project. Cheers Oleg > Best regards, > Kirill > > > > *Von:* Oleg Kalnichevski > > *Gesendet:* Mittwoch, 10. Juli 2019 15:49 > *An:* HttpClient User Discussion > *Betreff:* Re: NTLM Authentication fails > > > > On Mon, 2019-07-08 at 09:27 +, Kirill Rajbhandary wrote: > > Dear HttpClient Support List, > > > > I found out that when trying to make NTLM Authentication using > > httpclient-win-4.5.6.jar library it relies on > > CurrentWindowsCredentials instead of using credentials provided in > > WindowsCredentialsProvider which it seems to be incorrect for the > > case when web-container (Tomcat in my case) is running as a service > > under another "Local System" user on Windows machine. It retrieves > > incorrect username which is not authorized to pass NTLM > > authentication and gets 401 Unauthorized Error. Besides, if web > > container (Tomcat in my case) is running inside Docker Linux > > Container it does not work at all because the user specified inside > > Docker Container is completely different from the Windows one. I > > suppose that in WindowsNegotiateScheme.authenticate() method the > > below implementation should not rely on CurrentWindowsCredentials > > and > > throw Exception but have to use the Credentials specified in > > WindowsCredentialsProvider. > > > > if (clientCred == null) { > > // ?? We don't use the credentials, should we allow anything? > > if (!(credentials instanceof CurrentWindowsCredentials)) { > > throw new InvalidCredentialsException( > > "Credentials cannot be used for " + getSchemeName() + " > > authentication: " > > + credentials.getClass().getName()); > > } > > > > > > Also WindowsCredentialsProvider should not use instance of > > CurrentWindowsCredentials in case of AuthSchemes.NTLM but use > > provider.getCredentials(authscope) one: > > > > public Credentials getCredentials(final AuthScope authscope) { > > final String scheme = authscope.getScheme(); > > if (AuthSchemes.NTLM.equalsIgnoreCase(scheme) || > > AuthSchemes.SPNEGO.equalsIgnoreCase(scheme)) { > > return CurrentWindowsCredentials.INSTANCE; > > } else { > > return provider.getCredentials(authscope); > > } > > } > > > > Besides, if user provides the credentials of another user which is > > different from the user logged in to Windows system, httpclient-win > > API should not try to get information about currently logged user > > via > > CurrentWindowsCredentials class but has to use those credentials > > provided in WindowsCredentialsProvider if there are provided. If > > the > > credentials are not provided, then probably makes sense to get user > > using CurrentWindowsCredentials. > > > > Here is the code snippet how NTLM authentication was used in my > > case > > via httpclient-4.4.0.jar and httpclient-win-4.5.6.jar libraries: > > > > HttpClientBuilder clientbuilder = HttpClients.custom(); > > Registry authSchemeRegistry = > > RegistryBuilder.create() > > .register(AuthSchemes.NTLM, new WindowsNTLMSchemeFactory(null)) > > .build(); > > CredentialsProvider windowsCredentialsProvider = new > > WindowsCredentialsProvider(new SystemDefaultCredentialsProvider()); > > windowsCredentialsProvider.setCredentials(AuthScope.ANY, new > > NTCredentials("username, "password", "workstation", "domain")); > > clientbuilder.setDefaultCredentialsProvider(windowsCredentialsProvi > > de > > r); > > clientbuilder.setDefaultAuthSchemeRegistry(authSchemeRegistry); > > > > RequestConfig.Builder requestBuilder = RequestConfig.custom(); > > requestBuilder = > > requestBuilder.setConnectTimeout(connectionTimeout); > > requestBuilder = > > requestBuilder.setConnectionRequestTimeout(connectionTimeout); > > clientbuilder.setDefaultRequestConfig(requestBuilder.build()); > > client = clientbuilder.build(); > > > > HttpGet get = new HttpGet("http://test.url/ntlm;); > > CloseableHttpResponse response = client.execute(get); > > > > Could you please advise a workaround for the issue and make the > >
RE: NTLM Authentication fails
Dear HtpClient Users Group, Is it possible to make NTLM Authentication using only HttpClient library (without htppclient-win library) which will be working independently on whether it is running on Windows or Linux? Best regards, Kirill *Von:* Oleg Kalnichevski *Gesendet:* Mittwoch, 10. Juli 2019 15:49 *An:* HttpClient User Discussion *Betreff:* Re: NTLM Authentication fails On Mon, 2019-07-08 at 09:27 +, Kirill Rajbhandary wrote: > Dear HttpClient Support List, > > I found out that when trying to make NTLM Authentication using > httpclient-win-4.5.6.jar library it relies on > CurrentWindowsCredentials instead of using credentials provided in > WindowsCredentialsProvider which it seems to be incorrect for the > case when web-container (Tomcat in my case) is running as a service > under another "Local System" user on Windows machine. It retrieves > incorrect username which is not authorized to pass NTLM > authentication and gets 401 Unauthorized Error. Besides, if web > container (Tomcat in my case) is running inside Docker Linux > Container it does not work at all because the user specified inside > Docker Container is completely different from the Windows one. I > suppose that in WindowsNegotiateScheme.authenticate() method the > below implementation should not rely on CurrentWindowsCredentials and > throw Exception but have to use the Credentials specified in > WindowsCredentialsProvider. > > if (clientCred == null) { > // ?? We don't use the credentials, should we allow anything? > if (!(credentials instanceof CurrentWindowsCredentials)) { > throw new InvalidCredentialsException( > "Credentials cannot be used for " + getSchemeName() + " > authentication: " > + credentials.getClass().getName()); > } > > > Also WindowsCredentialsProvider should not use instance of > CurrentWindowsCredentials in case of AuthSchemes.NTLM but use > provider.getCredentials(authscope) one: > > public Credentials getCredentials(final AuthScope authscope) { > final String scheme = authscope.getScheme(); > if (AuthSchemes.NTLM.equalsIgnoreCase(scheme) || > AuthSchemes.SPNEGO.equalsIgnoreCase(scheme)) { > return CurrentWindowsCredentials.INSTANCE; > } else { > return provider.getCredentials(authscope); > } > } > > Besides, if user provides the credentials of another user which is > different from the user logged in to Windows system, httpclient-win > API should not try to get information about currently logged user via > CurrentWindowsCredentials class but has to use those credentials > provided in WindowsCredentialsProvider if there are provided. If the > credentials are not provided, then probably makes sense to get user > using CurrentWindowsCredentials. > > Here is the code snippet how NTLM authentication was used in my case > via httpclient-4.4.0.jar and httpclient-win-4.5.6.jar libraries: > > HttpClientBuilder clientbuilder = HttpClients.custom(); > Registry authSchemeRegistry = > RegistryBuilder.create() > .register(AuthSchemes.NTLM, new WindowsNTLMSchemeFactory(null)) > .build(); > CredentialsProvider windowsCredentialsProvider = new > WindowsCredentialsProvider(new SystemDefaultCredentialsProvider()); > windowsCredentialsProvider.setCredentials(AuthScope.ANY, new > NTCredentials("username, "password", "workstation", "domain")); > clientbuilder.setDefaultCredentialsProvider(windowsCredentialsProvide > r); > clientbuilder.setDefaultAuthSchemeRegistry(authSchemeRegistry); > > RequestConfig.Builder requestBuilder = RequestConfig.custom(); > requestBuilder = requestBuilder.setConnectTimeout(connectionTimeout); > requestBuilder = > requestBuilder.setConnectionRequestTimeout(connectionTimeout); > clientbuilder.setDefaultRequestConfig(requestBuilder.build()); > client = clientbuilder.build(); > > HttpGet get = new HttpGet("http://test.url/ntlm;); > CloseableHttpResponse response = client.execute(get); > > Could you please advise a workaround for the issue and make the > corresponding fix if you consider my description as an issue? > Hi Kirill I am not sure I fully understand your logic here but also admittedly I have little idea how things work in Windows these days. The HttpClient for Windows is an experimental module and is NOT recommended for production use. On a number of occasions we have considered dropping Windows specific code altogether. However if you contribute a PR with your proposed improvements I will happily review them. Cheers Oleg
Re: NTLM Authentication fails
On Mon, 2019-07-08 at 09:27 +, Kirill Rajbhandary wrote: > Dear HttpClient Support List, > > I found out that when trying to make NTLM Authentication using > httpclient-win-4.5.6.jar library it relies on > CurrentWindowsCredentials instead of using credentials provided in > WindowsCredentialsProvider which it seems to be incorrect for the > case when web-container (Tomcat in my case) is running as a service > under another "Local System" user on Windows machine. It retrieves > incorrect username which is not authorized to pass NTLM > authentication and gets 401 Unauthorized Error. Besides, if web > container (Tomcat in my case) is running inside Docker Linux > Container it does not work at all because the user specified inside > Docker Container is completely different from the Windows one. I > suppose that in WindowsNegotiateScheme.authenticate() method the > below implementation should not rely on CurrentWindowsCredentials and > throw Exception but have to use the Credentials specified in > WindowsCredentialsProvider. > > if (clientCred == null) { > // ?? We don't use the credentials, should we allow anything? > if (!(credentials instanceof CurrentWindowsCredentials)) { > throw new InvalidCredentialsException( > "Credentials cannot be used for " + getSchemeName() + " > authentication: " > + credentials.getClass().getName()); > } > > > Also WindowsCredentialsProvider should not use instance of > CurrentWindowsCredentials in case of AuthSchemes.NTLM but use > provider.getCredentials(authscope) one: > > public Credentials getCredentials(final AuthScope authscope) { > final String scheme = authscope.getScheme(); > if (AuthSchemes.NTLM.equalsIgnoreCase(scheme) || > AuthSchemes.SPNEGO.equalsIgnoreCase(scheme)) { > return CurrentWindowsCredentials.INSTANCE; > } else { > return provider.getCredentials(authscope); > } > } > > Besides, if user provides the credentials of another user which is > different from the user logged in to Windows system, httpclient-win > API should not try to get information about currently logged user via > CurrentWindowsCredentials class but has to use those credentials > provided in WindowsCredentialsProvider if there are provided. If the > credentials are not provided, then probably makes sense to get user > using CurrentWindowsCredentials. > > Here is the code snippet how NTLM authentication was used in my case > via httpclient-4.4.0.jar and httpclient-win-4.5.6.jar libraries: > > HttpClientBuilder clientbuilder = HttpClients.custom(); > Registry authSchemeRegistry = > RegistryBuilder.create() > .register(AuthSchemes.NTLM, new WindowsNTLMSchemeFactory(null)) > .build(); > CredentialsProvider windowsCredentialsProvider = new > WindowsCredentialsProvider(new SystemDefaultCredentialsProvider()); > windowsCredentialsProvider.setCredentials(AuthScope.ANY, new > NTCredentials("username, "password", "workstation", "domain")); > clientbuilder.setDefaultCredentialsProvider(windowsCredentialsProvide > r); > clientbuilder.setDefaultAuthSchemeRegistry(authSchemeRegistry); > > RequestConfig.Builder requestBuilder = RequestConfig.custom(); > requestBuilder = requestBuilder.setConnectTimeout(connectionTimeout); > requestBuilder = > requestBuilder.setConnectionRequestTimeout(connectionTimeout); > clientbuilder.setDefaultRequestConfig(requestBuilder.build()); > client = clientbuilder.build(); > > HttpGet get = new HttpGet("http://test.url/ntlm;); > CloseableHttpResponse response = client.execute(get); > > Could you please advise a workaround for the issue and make the > corresponding fix if you consider my description as an issue? > Hi Kirill I am not sure I fully understand your logic here but also admittedly I have little idea how things work in Windows these days. The HttpClient for Windows is an experimental module and is NOT recommended for production use. On a number of occasions we have considered dropping Windows specific code altogether. However if you contribute a PR with your proposed improvements I will happily review them. Cheers Oleg - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org
RE: NTLM authentication fails
fyi, the HttpURLConnection implementation works -Original Message- From: Christoph Ernst | TRANSPOREON [mailto:er...@transporeon.com] Sent: Freitag, 12. September 2014 17:03 To: HttpClient User Discussion Subject: RE: NTLM authentication fails i did some tests with 4.3.5 JCIFSEngine and 4.4-alpha1, always get 401 i have compared the logs of all 3 versions and the only differences are the digest and ntlm hashes, but that's no surprise i know the credentials work because it works with curl, here is the verbose output if you want to take a look: http://pastebin.com/2YqDgvbU maybe it is really a incompatiblity with IIS8 the application will deployed on a linux servers, so i assume native windows apis won't help there next option i will try is HttpUrlConnection, thanks for the hint vanita -Original Message- From: Oleg Kalnichevski [mailto:ol...@apache.org] Sent: Freitag, 12. September 2014 16:49 To: HttpClient User Discussion Subject: Re: NTLM authentication fails On Fri, 2014-09-12 at 10:33 -0400, Chawla, Vanita wrote: Hi Christopher, Java 6+ HttpUrlConnection worked seamlessly with NTLMv2 and IIS while calling REST web service for me last year. I had issues with HTTP client version. You may want to try to see if you get past the NTLM/connection issues. HttpUrlConnection makes use of Windows native APIs behind the scene, which naturally makes it more compatible than pure Java solutions. If HttpUrlConnection works for but you still want to stick with HttpClient you could consider using HttpClient 4.4 that also supports native Windows auth. Oleg Thanks On 9/12/14, 10:28 AM, Oleg Kalnichevski ol...@apache.org wrote: On Fri, 2014-09-12 at 12:55 +, Christoph Ernst | TRANSPOREON wrote: hi, i'm trying to call a SOAP webservice hosted on an external webserver running IIS8 thru a Squid HTTP proxy. normally i use CXF for webservice clients, but the version i'm using does not support NTLM auth. i'm using the latest httpclient version (4.3.5) my code: http://pastebin.com/YPuNWBer debug log: http://pastebin.com/meT0K1FX my credentials are formatted as: DOMAIN/user:pass, like it is required by the NTCredentials(String) ctor i have already *succesfully* tested the code with a local IIS 7.5 with and without the same proxy. i was also able to succesfully authenticate using the following curl command curl -v -x proxy:3128 --proxy-digest -U proxyuser http://externalhost:8101/service.svc; -u DOMAIN\user --ntlm can you tell me what could be the problem? thanks in advance I see nothing wrong with HTTP packets generated by HttpClient. It looks like the server simply does not like your creds or there is some sort of incompatibility with IIS8. You might want to try to give JCIFS engine a try [1] and see if that makes any difference. Oleg [1] http://hc.apache.org/httpcomponents-client-4.3.x/ntlm.html - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org B CB [ X ܚX KK[XZ[ Y[ ]\ \ ][ X ܚX P˘\X K ܙ B ܈Y][ۘ[ [X[ K[XZ[ Y[ ]\ \ Z[˘\X K ܙ B B
Re: NTLM authentication fails
Hi Christopher, Java 6+ HttpUrlConnection worked seamlessly with NTLMv2 and IIS while calling REST web service for me last year. I had issues with HTTP client version. You may want to try to see if you get past the NTLM/connection issues. Thanks On 9/12/14, 10:28 AM, Oleg Kalnichevski ol...@apache.org wrote: On Fri, 2014-09-12 at 12:55 +, Christoph Ernst | TRANSPOREON wrote: hi, i'm trying to call a SOAP webservice hosted on an external webserver running IIS8 thru a Squid HTTP proxy. normally i use CXF for webservice clients, but the version i'm using does not support NTLM auth. i'm using the latest httpclient version (4.3.5) my code: http://pastebin.com/YPuNWBer debug log: http://pastebin.com/meT0K1FX my credentials are formatted as: DOMAIN/user:pass, like it is required by the NTCredentials(String) ctor i have already *succesfully* tested the code with a local IIS 7.5 with and without the same proxy. i was also able to succesfully authenticate using the following curl command curl -v -x proxy:3128 --proxy-digest -U proxyuser http://externalhost:8101/service.svc; -u DOMAIN\user --ntlm can you tell me what could be the problem? thanks in advance I see nothing wrong with HTTP packets generated by HttpClient. It looks like the server simply does not like your creds or there is some sort of incompatibility with IIS8. You might want to try to give JCIFS engine a try [1] and see if that makes any difference. Oleg [1] http://hc.apache.org/httpcomponents-client-4.3.x/ntlm.html - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org
Re: NTLM authentication fails
On Fri, 2014-09-12 at 10:33 -0400, Chawla, Vanita wrote: Hi Christopher, Java 6+ HttpUrlConnection worked seamlessly with NTLMv2 and IIS while calling REST web service for me last year. I had issues with HTTP client version. You may want to try to see if you get past the NTLM/connection issues. HttpUrlConnection makes use of Windows native APIs behind the scene, which naturally makes it more compatible than pure Java solutions. If HttpUrlConnection works for but you still want to stick with HttpClient you could consider using HttpClient 4.4 that also supports native Windows auth. Oleg Thanks On 9/12/14, 10:28 AM, Oleg Kalnichevski ol...@apache.org wrote: On Fri, 2014-09-12 at 12:55 +, Christoph Ernst | TRANSPOREON wrote: hi, i'm trying to call a SOAP webservice hosted on an external webserver running IIS8 thru a Squid HTTP proxy. normally i use CXF for webservice clients, but the version i'm using does not support NTLM auth. i'm using the latest httpclient version (4.3.5) my code: http://pastebin.com/YPuNWBer debug log: http://pastebin.com/meT0K1FX my credentials are formatted as: DOMAIN/user:pass, like it is required by the NTCredentials(String) ctor i have already *succesfully* tested the code with a local IIS 7.5 with and without the same proxy. i was also able to succesfully authenticate using the following curl command curl -v -x proxy:3128 --proxy-digest -U proxyuser http://externalhost:8101/service.svc; -u DOMAIN\user --ntlm can you tell me what could be the problem? thanks in advance I see nothing wrong with HTTP packets generated by HttpClient. It looks like the server simply does not like your creds or there is some sort of incompatibility with IIS8. You might want to try to give JCIFS engine a try [1] and see if that makes any difference. Oleg [1] http://hc.apache.org/httpcomponents-client-4.3.x/ntlm.html - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org
RE: NTLM authentication fails
i did some tests with 4.3.5 JCIFSEngine and 4.4-alpha1, always get 401 i have compared the logs of all 3 versions and the only differences are the digest and ntlm hashes, but that's no surprise i know the credentials work because it works with curl, here is the verbose output if you want to take a look: http://pastebin.com/2YqDgvbU maybe it is really a incompatiblity with IIS8 the application will deployed on a linux servers, so i assume native windows apis won't help there next option i will try is HttpUrlConnection, thanks for the hint vanita -Original Message- From: Oleg Kalnichevski [mailto:ol...@apache.org] Sent: Freitag, 12. September 2014 16:49 To: HttpClient User Discussion Subject: Re: NTLM authentication fails On Fri, 2014-09-12 at 10:33 -0400, Chawla, Vanita wrote: Hi Christopher, Java 6+ HttpUrlConnection worked seamlessly with NTLMv2 and IIS while calling REST web service for me last year. I had issues with HTTP client version. You may want to try to see if you get past the NTLM/connection issues. HttpUrlConnection makes use of Windows native APIs behind the scene, which naturally makes it more compatible than pure Java solutions. If HttpUrlConnection works for but you still want to stick with HttpClient you could consider using HttpClient 4.4 that also supports native Windows auth. Oleg Thanks On 9/12/14, 10:28 AM, Oleg Kalnichevski ol...@apache.org wrote: On Fri, 2014-09-12 at 12:55 +, Christoph Ernst | TRANSPOREON wrote: hi, i'm trying to call a SOAP webservice hosted on an external webserver running IIS8 thru a Squid HTTP proxy. normally i use CXF for webservice clients, but the version i'm using does not support NTLM auth. i'm using the latest httpclient version (4.3.5) my code: http://pastebin.com/YPuNWBer debug log: http://pastebin.com/meT0K1FX my credentials are formatted as: DOMAIN/user:pass, like it is required by the NTCredentials(String) ctor i have already *succesfully* tested the code with a local IIS 7.5 with and without the same proxy. i was also able to succesfully authenticate using the following curl command curl -v -x proxy:3128 --proxy-digest -U proxyuser http://externalhost:8101/service.svc; -u DOMAIN\user --ntlm can you tell me what could be the problem? thanks in advance I see nothing wrong with HTTP packets generated by HttpClient. It looks like the server simply does not like your creds or there is some sort of incompatibility with IIS8. You might want to try to give JCIFS engine a try [1] and see if that makes any difference. Oleg [1] http://hc.apache.org/httpcomponents-client-4.3.x/ntlm.html - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org