Uploaded image for project: 'HttpComponents HttpClient'
  1. HttpComponents HttpClient
  2. HTTPCLIENT-1491

Enable provision of Service Principal Name to InitializeSecurityContext

    XMLWordPrintableJSON

Details

    Description

      I have found when using the org.apache.http.impl.auth.win patch for Kerberos authentication in our corporate environment the InitializeSecurityContext *pszTargetName parameter must be set to the service principal name (http://msdn.microsoft.com/en-us/library/windows/desktop/ms721625(v=vs.85).aspx#_security_service_principal_name_gly) for the Kerberos handshake to succeed.

      This patch allows the service principal name to be provided to the WindowsNegotiateScheme constructor via the Factory classes.

      I am unsure if this is required or correct for NTLM.

      For reference the SPN we use is of the form: HTTP/myserver.mycomp.com@REALM.MYCOMP.COM

      • "myserver.mycomp.com" is the host name of the server we want to connect to
      • "REALM.MYCOMP.COM" is the active directory realm.

      Attachments

        1. auth.win.patch
          4 kB
          Malcolm Smith

        Activity

          People

            Unassigned Unassigned
            malcolmfsmith@gmail.com Malcolm Smith
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - 24h
                24h
                Remaining:
                Remaining Estimate - 24h
                24h
                Logged:
                Time Spent - Not Specified
                Not Specified