I have found when using the org.apache.http.impl.auth.win patch for Kerberos authentication in our corporate environment the InitializeSecurityContext *pszTargetName parameter must be set to the service principal name (http://msdn.microsoft.com/en-us/library/windows/desktop/ms721625(v=vs.85).aspx#_security_service_principal_name_gly) for the Kerberos handshake to succeed.
This patch allows the service principal name to be provided to the WindowsNegotiateScheme constructor via the Factory classes.
I am unsure if this is required or correct for NTLM.
For reference the SPN we use is of the form: HTTP/myserver.mycomp.com@REALM.MYCOMP.COM
- "myserver.mycomp.com" is the host name of the server we want to connect to
- "REALM.MYCOMP.COM" is the active directory realm.