Login/Register
HTTP "Negotiate" authentication via NTLM from a Java SE6 client on Windows
Asked Answered
Solved javasoapcxfntlmspnego
T

1

6

Does anyone know if a Java 6 client running on Windows is able to authenticate via NTLM when accessing a Microsoft server that implements the SPNEGO authentication protocol?

My understanding is that Java 6 running on Windows has built-in support for SPNEGO, but it seems that the Java implementation does not attempt NTLM authentication in the event kerberos authentication is not possible. The Authenticator example provided in the Sun docs fails with a 401 Unauthorized error in response to the server sending WWW-Authenticate: Negotiate.

Here is a description of the test environment:

Target Server:

  • Windows 2008 R2 standalone server (not part of AD domain)
  • Microsoft SOAP service implemented using WCF
  • WCF is configured for SPNEGO authentication (kerberos and NTLM)
  • WCF server cannot be reconfigured to support other auth modes :(

Client Machine:

  • Windows 7 64-bit standalone workstation (not part of a domain)
  • Java SE6 client running the Sun SPNEGO example

The ultimate goal is to use Apache CXF 2.4.0 to invoke SOAP services on the WCF server. Before adding in the complexities of CXF and SOAP I have been trying to retrieve the WSDL from the server using a simple Java test application to work out the authentication issues.

FWIW - I can access the WCF server from IE using the local Administrator login for the Windows server. I have also been able to create a Delphi XE SOAP client without any special authorization configuration. The Delphi SOAP client uses WinInet under the hood.

Teleplay answered 9/5, 2011 at 16:22 Comment(3)
Did you ever solve your issue?Homozygote
@David Brossard - Yes, we did get things working. The caveat with our solution was that native Java auth functionality had issues when running as a Windows service unless a service account was used. More recently we started using the Apache HTTP client which has working NTLMv2 auth support. It took some finesse to get it working, but it has proved reliable in heavy production use.Teleplay
Thanks! I'll look into the Apache client then. My tomcat is running as the windows service so that's goodHomozygote
F
2

Java's SPNEGO is capable of Kerberos only because NTLM is a proprietary legacy MS technology. If your target machine is not part of a domain, as it is in your case, your are out of luck. You should switch to DIGEST-MD5 authentication if you can.

Felicitasfelicitate answered 24/7, 2011 at 13:20 Comment(4)
Thanks for your response. I arrived at a similar conclusion - Java's SPNEGO implementation does not provide support for NTLM. That said, Java does natively support NTLM/NTMLv2 with some small caveats, at least on the Windows platform. I believe there are MS licensing issues for other platforms. I currently have a CXF client reliably running NTLMv2 in production against Dynamics Nav 2009 R2 (a WCF-based server). I would prefer digest auth as you suggest, but the MS Nav developers only implemented support for SPENEGO and NTLMv2 :( The NTLM support was only added in 2009 R2.Teleplay
Did you mistype? There is no direct Java support for NTLM(v2) in Windows unless you use third party libs.Felicitasfelicitate
No, what I wrote is correct: "Java's SPNEGO implementation does not provide support for NTLM". Java on Windows DOES support standard MS NTLMv2 authentication, but the Java SPENGO implementation only supports Kerberos. The implication is that a Java client cannot authenticate to a MS Web Server using NTLM if the server is using SPENGO (i.e. WWW-Authenticate: Negotiate)Teleplay
How does Java on Windows support NTLMv2 with SPNEGO?Felicitasfelicitate

© 2022 - 2024 — McMap. All rights reserved.