HttpComponents HttpClient
  1. HttpComponents HttpClient
  2. HTTPCLIENT-1300

HttpClient does not retry authentication when multiple challenges are present if the primary one fails

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Invalid
    • Affects Version/s: 4.2.2, 4.2.3
    • Fix Version/s: None
    • Component/s: HttpClient
    • Labels:
      None
    • Environment:
      Windows 2008 R2 SP1

      Description

      Hello,

      When you communicate with a Microsoft SharePoint server (which is IIS 7.5), you have only two Providers Authentification configured in following order : Negotiate, NTLM.

      HTTPCLIENT tries Negotiate, but never tries NTLMv2 and it's failing. I tried with Apache HTTPCOMPONENTS 4.2.2 and 4.2.3.

      I got following message :

      {errorMessage=Wrong username or password was provided;returnCode=-1;Result=PAGE_NOT_FOUND;status=HTTP/1.1 401 Unauthorized;urls=;responseTimeInMs=6844;responseHeaders=Server: Microsoft-IIS/7.5,SPRequestGuid: 60de579b-9c73-4e61-9638-3dd0de48516d,WWW-Authenticate: Negotiate,WWW-Authenticate: NTLM,X-Powered-By: ASP.NET,MicrosoftSharePointTeamServices: 14.0.0.6117,X-MS-InvokeApp: 1; RequireReadOnly,Date: Fri, 18 Jan 2013 14:06:56 GMT,Content-Length: 0;document=;httpResult=UNAUTHORIZED;sessionId=iconclude-5340417449766813898;pageLoadTimeInMs=0;resultText=PAGE_NOT_FOUND;URL=http://collaboration-mptf-int.sharepoint.resources.noxiane.net/is/orchesthp/SitePages/Home.aspx;}

      Here is the log4j debugger:
      DEBUG (15:00:26,777) org.apache.http.client.protocol.RequestAddCookies - CookieSpec selected: best-match
      DEBUG (15:00:26,929) org.apache.http.client.protocol.RequestAuthCache - Auth cache not set in the context
      DEBUG (15:00:26,929) org.apache.http.client.protocol.RequestTargetAuthentication - Target auth state: UNCHALLENGED
      DEBUG (15:00:26,935) org.apache.http.client.protocol.RequestProxyAuthentication - Proxy auth state: UNCHALLENGED
      DEBUG (15:00:26,935) org.apache.http.impl.client.DefaultHttpClient - Attempt 1 to execute request
      DEBUG (15:00:26,949) org.apache.http.wire - >> "GET /is/orchesthp/SitePages/Home.aspx HTTP/1.1[\r][\n]"
      DEBUG (15:00:26,972) org.apache.http.wire - >> "Host: collaboration-mptf-int.sharepoint.resources.noxiane.net[\r][\n]"
      DEBUG (15:00:26,972) org.apache.http.wire - >> "Connection: Keep-Alive[\r][\n]"
      DEBUG (15:00:26,972) org.apache.http.wire - >> "User-Agent: Apache-HttpClient/4.2.2 (java 1.5)[\r][\n]"
      DEBUG (15:00:26,972) org.apache.http.wire - >> "[\r][\n]"
      DEBUG (15:00:26,977) org.apache.http.wire - << "HTTP/1.1 401 Unauthorized[\r][\n]"
      DEBUG (15:00:27,007) org.apache.http.wire - << "Server: Microsoft-IIS/7.5[\r][\n]"
      DEBUG (15:00:27,007) org.apache.http.wire - << "SPRequestGuid: 90d86bed-0465-4485-9cbc-e561497b7da2[\r][\n]"
      DEBUG (15:00:27,007) org.apache.http.wire - << "WWW-Authenticate: Negotiate[\r][\n]"
      DEBUG (15:00:27,007) org.apache.http.wire - << "WWW-Authenticate: NTLM[\r][\n]"
      DEBUG (15:00:27,007) org.apache.http.wire - << "X-Powered-By: ASP.NET[\r][\n]"
      DEBUG (15:00:27,007) org.apache.http.wire - << "MicrosoftSharePointTeamServices: 14.0.0.6117[\r][\n]"
      DEBUG (15:00:27,007) org.apache.http.wire - << "X-MS-InvokeApp: 1; RequireReadOnly[\r][\n]"
      DEBUG (15:00:27,007) org.apache.http.wire - << "Date: Fri, 18 Jan 2013 14:00:06 GMT[\r][\n]"
      DEBUG (15:00:27,007) org.apache.http.wire - << "Content-Length: 0[\r][\n]"
      DEBUG (15:00:27,008) org.apache.http.wire - << "[\r][\n]"
      DEBUG (15:00:27,056) org.apache.http.impl.client.DefaultHttpClient - Connection can be kept alive indefinitely
      DEBUG (15:00:27,057) org.apache.http.impl.client.DefaultHttpClient - Authentication required
      DEBUG (15:00:27,057) org.apache.http.impl.client.DefaultHttpClient - collaboration-mptf-int.sharepoint.resources.noxiane.net:80 requested authentication
      DEBUG (15:00:27,075) org.apache.http.impl.client.TargetAuthenticationStrategy - Authentication schemes in the order of preference: [negotiate, Kerberos, NTLM, Digest, Basic]
      DEBUG (15:00:27,151) org.apache.http.impl.client.TargetAuthenticationStrategy - Challenge for Kerberos authentication scheme not available
      DEBUG (15:00:27,217) org.apache.http.impl.client.TargetAuthenticationStrategy - Challenge for Digest authentication scheme not available
      DEBUG (15:00:27,218) org.apache.http.impl.client.TargetAuthenticationStrategy - Challenge for Basic authentication scheme not available
      DEBUG (15:00:27,218) org.apache.http.impl.client.DefaultHttpClient - Selected authentication options: [NEGOTIATE, NTLM]
      DEBUG (15:00:27,224) org.apache.http.client.protocol.RequestAddCookies - CookieSpec selected: best-match
      DEBUG (15:00:27,225) org.apache.http.client.protocol.RequestAuthCache - Auth cache not set in the context
      DEBUG (15:00:27,225) org.apache.http.client.protocol.RequestTargetAuthentication - Target auth state: CHALLENGED
      DEBUG (15:00:27,225) org.apache.http.client.protocol.RequestTargetAuthentication - Generating response to an authentication challenge using Negotiate scheme
      WARN (15:00:34,353) org.apache.http.client.protocol.RequestTargetAuthentication - NEGOTIATE authentication error: No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt))
      DEBUG (15:00:34,353) org.apache.http.client.protocol.RequestTargetAuthentication - Generating response to an authentication challenge using ntlm scheme
      DEBUG (15:00:34,366) org.apache.http.client.protocol.RequestProxyAuthentication - Proxy auth state: UNCHALLENGED
      DEBUG (15:00:34,366) org.apache.http.impl.client.DefaultHttpClient - Attempt 2 to execute request
      DEBUG (15:00:34,367) org.apache.http.wire - >> "GET /is/orchesthp/SitePages/Home.aspx HTTP/1.1[\r][\n]"
      DEBUG (15:00:34,367) org.apache.http.wire - >> "Host: collaboration-mptf-int.sharepoint.resources.noxiane.net[\r][\n]"
      DEBUG (15:00:34,367) org.apache.http.wire - >> "Connection: Keep-Alive[\r][\n]"
      DEBUG (15:00:34,367) org.apache.http.wire - >> "User-Agent: Apache-HttpClient/4.2.2 (java 1.5)[\r][\n]"
      DEBUG (15:00:34,367) org.apache.http.wire - >> "Authorization: NTLM TlRMTVNTUAABAAAANQIIIAgACABMAAAALAAsACAAAABDAE8ATABMAEEAQgBPAFIAQQBUAEkATwBOAC0ATQBQAFQARgAtAEkATgBUAEMATwBSAFAA[\r][\n]"
      DEBUG (15:00:34,367) org.apache.http.wire - >> "[\r][\n]"
      DEBUG (15:00:34,370) org.apache.http.wire - << "HTTP/1.1 401 Unauthorized[\r][\n]"
      DEBUG (15:00:34,370) org.apache.http.wire - << "Server: Microsoft-IIS/7.5[\r][\n]"
      DEBUG (15:00:34,370) org.apache.http.wire - << "SPRequestGuid: cfb6e459-429e-46da-b161-6d960808d5b8[\r][\n]"
      DEBUG (15:00:34,370) org.apache.http.wire - << "WWW-Authenticate: NTLM TlRMTVNTUAACAAAAFAAUADgAAAA1AokiFxDqE0xWbnYAAAAAAAAAACABIAFMAAAABgGxHQAAAA9TAEgAQQBSAEUAUABPAEkATgBUAAIAFABTAEgAQQBSAEUAUABPAEkATgBUAAEAHgBNAFAAVABGAC0ASQBOAFQALQBXAEYARQAtADAAMgAEAEAAcwBoAGEAcgBlAHAAbwBpAG4AdAAuAHIAZQBzAG8AdQByAGMAZQBzAC4AbgBvAHgAaQBhAG4AZQAuAG4AZQB0AAMAYABNAFAAVABGAC0ASQBOAFQALQBXAEYARQAtADAAMgAuAHMAaABhAHIAZQBwAG8AaQBuAHQALgByAGUAcwBvAHUAcgBjAGUAcwAuAG4AbwB4AGkAYQBuAGUALgBuAGUAdAAFACoAcgBlAHMAbwB1AHIAYwBlAHMALgBuAG8AeABpAGEAbgBlAC4AbgBlAHQABwAIABqLNyOE9c0BAAAAAA==[\r][\n]"
      DEBUG (15:00:34,370) org.apache.http.wire - << "WWW-Authenticate: Negotiate[\r][\n]"
      DEBUG (15:00:34,370) org.apache.http.wire - << "X-Powered-By: ASP.NET[\r][\n]"
      DEBUG (15:00:34,370) org.apache.http.wire - << "MicrosoftSharePointTeamServices: 14.0.0.6117[\r][\n]"
      DEBUG (15:00:34,370) org.apache.http.wire - << "X-MS-InvokeApp: 1; RequireReadOnly[\r][\n]"
      DEBUG (15:00:34,370) org.apache.http.wire - << "Date: Fri, 18 Jan 2013 14:00:13 GMT[\r][\n]"
      DEBUG (15:00:34,370) org.apache.http.wire - << "Content-Length: 0[\r][\n]"
      DEBUG (15:00:34,370) org.apache.http.wire - << "[\r][\n]"
      DEBUG (15:00:34,371) org.apache.http.impl.client.DefaultHttpClient - Connection can be kept alive indefinitely
      DEBUG (15:00:34,371) org.apache.http.impl.client.DefaultHttpClient - Authentication required
      DEBUG (15:00:34,371) org.apache.http.impl.client.DefaultHttpClient - collaboration-mptf-int.sharepoint.resources.noxiane.net:80 requested authentication
      DEBUG (15:00:34,371) org.apache.http.impl.client.DefaultHttpClient - Authorization challenge processed
      DEBUG (15:00:34,371) org.apache.http.client.protocol.RequestAddCookies - CookieSpec selected: best-match
      DEBUG (15:00:34,371) org.apache.http.client.protocol.RequestAuthCache - Auth cache not set in the context
      DEBUG (15:00:34,372) org.apache.http.client.protocol.RequestTargetAuthentication - Target auth state: HANDSHAKE
      DEBUG (15:00:34,408) org.apache.http.client.protocol.RequestProxyAuthentication - Proxy auth state: UNCHALLENGED
      DEBUG (15:00:34,408) org.apache.http.impl.client.DefaultHttpClient - Attempt 3 to execute request
      DEBUG (15:00:34,409) org.apache.http.wire - >> "GET /is/orchesthp/SitePages/Home.aspx HTTP/1.1[\r][\n]"
      DEBUG (15:00:34,409) org.apache.http.wire - >> "Host: collaboration-mptf-int.sharepoint.resources.noxiane.net[\r][\n]"
      DEBUG (15:00:34,409) org.apache.http.wire - >> "Connection: Keep-Alive[\r][\n]"
      DEBUG (15:00:34,409) org.apache.http.wire - >> "User-Agent: Apache-HttpClient/4.2.2 (java 1.5)[\r][\n]"
      DEBUG (15:00:34,409) org.apache.http.wire - >> "Authorization: NTLM TlRMTVNTUAADAAAAGAAYAEAAAABMAUwBWAAAAAgACACkAQAADgAOAKwBAAAsACwAugEAAAAAAADmAQAANQIIICipdbok35bE6eJidUu0pi4IMMUcKJouzIX2Ucophb8Nl5+9qtEuOzoBAQAAAAAAAICucS+E9c0BCDDFHCiaLswAAAAAAgAUAFMASABBAFIARQBQAE8ASQBOAFQAAQAeAE0AUABUAEYALQBJAE4AVAAtAFcARgBFAC0AMAAyAAQAQABzAGgAYQByAGUAcABvAGkAbgB0AC4AcgBlAHMAbwB1AHIAYwBlAHMALgBuAG8AeABpAGEAbgBlAC4AbgBlAHQAAwBgAE0AUABUAEYALQBJAE4AVAAtAFcARgBFAC0AMAAyAC4AcwBoAGEAcgBlAHAAbwBpAG4AdAAuAHIAZQBzAG8AdQByAGMAZQBzAC4AbgBvAHgAaQBhAG4AZQAuAG4AZQB0AAUAKgByAGUAcwBvAHUAcgBjAGUAcwAuAG4AbwB4AGkAYQBuAGUALgBuAGUAdAAHAAgAGos3I4T1zQEAAAAAQwBPAFIAUABwADAANgA2ADIAOAAzAEMATwBMAEwAQQBCAE8AUgBBAFQASQBPAE4ALQBNAFAAVABGAC0ASQBOAFQA[\r][\n]"
      DEBUG (15:00:34,409) org.apache.http.wire - >> "[\r][\n]"
      DEBUG (15:00:34,512) org.apache.http.wire - << "HTTP/1.1 401 Unauthorized[\r][\n]"
      DEBUG (15:00:34,512) org.apache.http.wire - << "Server: Microsoft-IIS/7.5[\r][\n]"
      DEBUG (15:00:34,512) org.apache.http.wire - << "SPRequestGuid: bbb2a76b-1aa8-465c-9335-3a01acfac313[\r][\n]"
      DEBUG (15:00:34,512) org.apache.http.wire - << "WWW-Authenticate: Negotiate[\r][\n]"
      DEBUG (15:00:34,512) org.apache.http.wire - << "WWW-Authenticate: NTLM[\r][\n]"
      DEBUG (15:00:34,513) org.apache.http.wire - << "X-Powered-By: ASP.NET[\r][\n]"
      DEBUG (15:00:34,513) org.apache.http.wire - << "MicrosoftSharePointTeamServices: 14.0.0.6117[\r][\n]"
      DEBUG (15:00:34,513) org.apache.http.wire - << "X-MS-InvokeApp: 1; RequireReadOnly[\r][\n]"
      DEBUG (15:00:34,513) org.apache.http.wire - << "Date: Fri, 18 Jan 2013 14:00:13 GMT[\r][\n]"
      DEBUG (15:00:34,513) org.apache.http.wire - << "Content-Length: 0[\r][\n]"
      DEBUG (15:00:34,513) org.apache.http.wire - << "[\r][\n]"
      DEBUG (15:00:34,513) org.apache.http.impl.client.DefaultHttpClient - Connection can be kept alive indefinitely
      DEBUG (15:00:34,513) org.apache.http.impl.client.DefaultHttpClient - Authentication required
      DEBUG (15:00:34,513) org.apache.http.impl.client.DefaultHttpClient - collaboration-mptf-int.sharepoint.resources.noxiane.net:80 requested authentication
      DEBUG (15:00:34,514) org.apache.http.impl.client.DefaultHttpClient - Authorization challenge processed
      DEBUG (15:00:34,514) org.apache.http.impl.client.DefaultHttpClient - Authentication failed

      Thanks very much for your help. Remove Ads.

      1. httpClient_4.2.2.log
        10 kB
        Michael
      2. httpClient_4.2.3.log
        10 kB
        Michael

        Activity

        Hide
        Oleg Kalnichevski added a comment -

        Please look at the log more carefully. HttpClient does try both schemes

        DEBUG (15:42:25,201) org.apache.http.client.protocol.RequestTargetAuthentication - Generating response to an authentication challenge using Negotiate scheme
        WARN (15:42:25,202) org.apache.http.client.protocol.RequestTargetAuthentication - NEGOTIATE authentication error: No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt))
        ...
        DEBUG (15:42:25,202) org.apache.http.client.protocol.RequestTargetAuthentication - Generating response to an authentication challenge using ntlm scheme
        ...
        DEBUG (15:42:25,203) org.apache.http.wire - >> "GET /is/orchesthp/SitePages/Home.aspx HTTP/1.1[\r][\n]"
        DEBUG (15:42:25,203) org.apache.http.wire - >> "Host: collaboration-mptf-int.sharepoint.resources.noxiane.net[\r][\n]"
        ...
        DEBUG (15:42:25,203) org.apache.http.wire - >> "Authorization: NTLM TlRMTVNTUAABAAAAkYII4gAAAAAoAAAAAAAAACgAAAAFASgKAAAADw==[\r][\n]"

        Oleg

        Show
        Oleg Kalnichevski added a comment - Please look at the log more carefully. HttpClient does try both schemes — DEBUG (15:42:25,201) org.apache.http.client.protocol.RequestTargetAuthentication - Generating response to an authentication challenge using Negotiate scheme WARN (15:42:25,202) org.apache.http.client.protocol.RequestTargetAuthentication - NEGOTIATE authentication error: No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)) ... DEBUG (15:42:25,202) org.apache.http.client.protocol.RequestTargetAuthentication - Generating response to an authentication challenge using ntlm scheme ... DEBUG (15:42:25,203) org.apache.http.wire - >> "GET /is/orchesthp/SitePages/Home.aspx HTTP/1.1 [\r] [\n] " DEBUG (15:42:25,203) org.apache.http.wire - >> "Host: collaboration-mptf-int.sharepoint.resources.noxiane.net [\r] [\n] " ... DEBUG (15:42:25,203) org.apache.http.wire - >> "Authorization: NTLM TlRMTVNTUAABAAAAkYII4gAAAAAoAAAAAAAAACgAAAAFASgKAAAADw== [\r] [\n] " — Oleg

          People

          • Assignee:
            Unassigned
            Reporter:
            Michael
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development