[英]WinRM(WsMan) and NTLM authentication
I'm trying to use NTLM authentication during WsMan connection. 我正在尝试在WsMan连接期间使用NTLM身份验证。 But the problem that WinRm doesn't support NTLM scheme directly.
但是WinRm不直接支持NTLM方案的问题。 Here is response headers:
这是响应头:
21:57:33.557 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "HTTP/1.1 401 [\r][\n]"
21:57:33.557 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "Server: Microsoft-HTTPAPI/2.0[\r][\n]"
21:57:33.557 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "WWW-Authenticate: Negotiate[\r][\n]"
21:57:33.557 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "WWW-Authenticate: Kerberos[\r][\n]"
21:57:33.557 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "WWW-Authenticate: CredSSP[\r][\n]"
21:57:33.557 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "Date: Thu, 10 Aug 2017 18:57:33 GMT[\r][\n]"
21:57:33.557 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "Connection: close[\r][\n]"
21:57:33.557 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "Content-Length: 0[\r][\n]"
NTLM scheme is not mentioned in official documentation https://docs.microsoft.com/en-us/powershell/module/Microsoft.WsMan.Management/Get-WSManInstance?view=powershell-5.1 官方文档中未提及NTLM方案https://docs.microsoft.com/zh-cn/powershell/module/Microsoft.WsMan.Management/Get-WSManInstance?view=powershell-5.1
But it says 但是它说
Negotiate.
谈判。 Negotiate is a challenge-response scheme that negotiates with the server or proxy to determine the scheme to use for authentication.
协商是一种质询-响应方案,它与服务器或代理进行协商以确定用于身份验证的方案。 For example, this parameter value allows for negotiation to determine whether the Kerberos protocol or NTLM is used.
例如,此参数值允许协商以确定是否使用Kerberos协议或NTLM。
I'm trying to use SPNEGO schema 我正在尝试使用SPNEGO模式
RegistryBuilder<AuthSchemeProvider> builder = RegistryBuilder.<AuthSchemeProvider>create().register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory());
But at the end, it fails https://pastebin.com/gGNEHGpx So it looks like NTLM is sub-mechanism of SPNEGO, but how to use it correctly with Apache http-client? 但是最后,它失败了https://pastebin.com/gGNEHGpx所以看起来NTLM是SPNEGO的子机制,但是如何在Apache http-client上正确使用它?
Negotiate implies Kerberos or NTLM. 协商意味着使用Kerberos或NTLM。 https://blogs.technet.microsoft.com/tristank/2006/08/02/two-easy-ways-to-pick-kerberos-from-ntlm-in-an-http-capture/
https://blogs.technet.microsoft.com/tristank/2006/08/02/two-easy-ways-to-pick-kerberos-from-ntlm-in-an-http-capture/
I found a SpNegoNTLMSchemeFactory that works correctly with WinRm https://gist.github.com/moberwasserlechner/4690931 我发现一个SpNegoNTLMSchemeFactory可以与WinRm https://gist.github.com/moberwasserlechner/4690931一起正常使用
JCIFSEngine.java == apache NTLMEngineImpl.java SpNegoNTLMSchemeFactory.java == apache NTLMSchemeFactory.java JCIFSEngine.java == apache NTLMEngineImpl.java SpNegoNTLMSchemeFactory.java == apache NTLMSchemeFactory.java
SpNegoNTLMScheme.java != apache NTLMScheme.java But the only difference here is SpNegoNTLMScheme.java!= apache NTLMScheme.java但是这里唯一的区别是
@Override
public String getSchemeName() {
return AuthSchemes.SPNEGO; //<- apache class return NTLM here
}
@Override
public Header authenticate(final Credentials credentials, final HttpRequest request) throws AuthenticationException {
...
buffer.append(": ");
buffer.append(getSchemeName().toUpperCase()); //<- apache class return NTLM here
buffer.append(" ");
buffer.append(response);
return new BufferedHeader(buffer);
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.