使用httpclient 4.2.1进行NTLM身份验证

Question

I need to do a HTTP GET to a URL that needs NTLM authentication. I can access the URL using Firefox or Chrome on a MacBook Pro. The browser asks for the username/password combo and it works. I am now trying to do the same from Groovy using HttpClient. I followed the NTLM support guide , but I always get a 401 Unauthorized back. There is also this sentence in the response:

You do not have permission to view this directory or page using the credentials that you supplied because your Web browser is sending a WWW-Authenticate header field that the Web server is not configured to accept.

I tried all kinds of combinations for the servername and domain (the remote windows pc is not on a domain) in this piece of code, but I always get the same response.

httpclient.getCredentialsProvider().setCredentials(
new AuthScope("myserver", -1), 
new NTCredentials("username", "password", "MYSERVER", "MYDOMAIN"));

Anybody had the same problem and managed to solve it? Note that this is an external program that uses IIS under the hood, so I don't think I can change any settings there.

EDIT:

Unlike what I have said, I managed to change the security settings in IIS to accept BASIC authentation, so I don't have the problem anymore.

Answer 1

EDIT:

In my experience with setting up Kerberos or NTLM (both are single sign on), you don't have to enter username/password at all when you are already logged in to your system.

I am pretty sure that when the browser asked for username/password combo, that's not an NTLM authentication at all. Most likely the server side application has a fallback scheme to HTTP Basic Digest (that why it displayed the username/password combo). With NTLM you'll never have to enter your username/password (principal/credentials) at all, as the server will recognize who you are through the negotiation mechanism between your browser, your operating system, server and Active Directory server.

If your MacBook Pro is running on OS/X, you also need to add your OS/X to the domain. Your server also needs to be in the same domain where the client OS/X being added. This may not be a trivial case. Some external tools/driver may be needed. This one may be a good candidate (but I haven't tried that).

NTLM needs both the client to be a member of the same domain as the server, hence both needs to be registered in the Active Directory domain. If your server is not in the domain, than that will be another set of problem.

In order to get your browser works with NTLM, you need to install plugin (ntlmauth-plugin?). But I have never try that on MacOS/X yet. Even in Windows you still need a plugin in order to run Firefox successfully with NTLM.

Answer 2

HttpClient did not work for me but finally the code below worked. Reference - http://docs.oracle.com/javase/7/docs/technotes/guides/net/http-auth.html

For quick reference -

public static String getResponse(String url, String userName, String password) throws IOException {
Authenticator.setDefault(new Authenticator() {
  @Override
  public PasswordAuthentication getPasswordAuthentication() {
    System.out.println(getRequestingScheme() + " authentication");
    return new PasswordAuthentication(userName, password.toCharArray());
  }
});

URL urlRequest = new URL(url);
HttpURLConnection conn = (HttpURLConnection) urlRequest.openConnection();
conn.setDoOutput(true);
conn.setDoInput(true);
conn.setRequestMethod("GET");

StringBuilder response = new StringBuilder();
InputStream stream = conn.getInputStream();
BufferedReader in = new BufferedReader(new InputStreamReader(stream));
String str = "";
while ((str = in.readLine()) != null) {
  response.append(str);
}
in.close();

return response.toString();

}