4

I'm running HttpClient 4.3.6 in Java 6. When I run the following code, the authentication appears to succeed. The Status Code returned is 200. However, I'm getting the following error message in the console:

WARNING: NEGOTIATE authentication error: Invalid name provided (Mechanism level: Could not load configuration file C:\Windows\krb5.ini (the system cannot find the file specified))

How do I eliminate this warning?

CloseableHttpClient httpclient = HttpClients.createDefault();
HttpContext localContext = new BasicHttpContext();
HttpGet method = new HttpGet(url);
CredentialsProvider credsProvider = new BasicCredentialsProvider();
credsProvider.setCredentials(
   new AuthScope(host, 80),
   new NTCredentials(userid, password, host, login_domain));

localContext.setAttribute(HttpClientContext.CREDS_PROVIDER, credsProvider);

String filePath = null;

// Execute the method.
CloseableHttpResponse clientResponse = httpclient.execute(method, localContext);

HttpEntity entity = clientResponse.getEntity();

int statusCode = clientResponse.getStatusLine().getStatusCode();

if (statusCode != HttpStatus.SC_OK) {
   System.err.println("Method failed: " + method.getRequestLine());
}
Michael Sobczak
  • 1,045
  • 1
  • 24
  • 45

3 Answers3

8

You need to pass in a set of target preferred auth schemes:

Create your httpClient like this:

PoolingHttpClientConnectionManager connPool = new PoolingHttpClientConnectionManager();

connPool.setMaxTotal(200);
connPool.setDefaultMaxPerRoute(200);

// Authentication
CredentialsProvider credsProvider = new BasicCredentialsProvider();
credsProvider.setCredentials(AuthScope.ANY, new NTCredentials(username, password, workstation, domain));


RequestConfig config = RequestConfig.custom().setTargetPreferredAuthSchemes(Arrays.asList(AuthSchemes.NTLM)).build();

CloseableHttpClient httpClient = HttpClients.custom().setConnectionManager(connPool).setDefaultRequestConfig(config).build();

HttpClientContext context = HttpClientContext.create();
context.setCredentialsProvider(credsProvider);
Bob Thule
  • 691
  • 9
  • 15
  • Thanks for your solution. Where/how do I set the AuthScope and NTCredentials? – Michael Sobczak Feb 26 '15 at 13:46
  • @MichaelSobczak I just noticed that my answer was not correct, so I edited this answer. You don't want to remove providers, but instead set the TargetPeferredAuthSchems to be NTLM. – Bob Thule May 12 '15 at 14:19
1

Yes I believe that, in fact, your authentication is successful and is probably just falling back to NTLM from Kerberos. My code looks similar to yours and in my application I'm connecting to SharePoint using HttpClient 4.3.5 in Java 7. When SharePoint is configured to "Negotiate" (Attempt Kerberos and then failover to NTLM), I will see a similar error to what you reported in the HttpClient generated logging, specifically:

Selected authentication options: [NEGOTIATE, NTLM] Executing request GET /my/personal/user2/_api/web?$select=ServerRelativeUrl HTTP/1.1 Target auth state: CHALLENGED Generating response to an authentication challenge using Negotiate scheme init XXX.XXX.XXX.XXX:80 NEGOTIATE authentication error: org.ietf.jgss.GSSException, major code: 11, minor code: 0 major string: General failure, unspecified at GSSAPI level minor string: Desired initLifetime zero or less Generating response to an authentication challenge using ntlm scheme

Following that, it will successfully authenticate via NTLM. So, I read that error message as saying "Kerberos didn't work, now we'll use NTLM". As long as you're getting a 200 response, you should be good to go.

Thomas Doman
  • 556
  • 7
  • 19
0

Are you sure authentication is happening successfully, if the website is set to Negotiate (Attempt Kerbero, then failover to NTLM) BASIC authentication would probably not be successful.

Avi
  • 406
  • 2
  • 8
  • I believe so. When the code runs, I'm able to get a Crystal Report back from the IIS server. When authentication fails, I don't get a Crystal Report at all. – Michael Sobczak Dec 04 '14 at 21:24