CODEWITHSUNDEEP
javaapache-httpclient-4.xntlmwinrmwsman
John
John

Reputation: 464

WinRM(WsMan) and NTLM authentication

I'm trying to use NTLM authentication during WsMan connection. But the problem that WinRm doesn't support NTLM scheme directly. Here is response headers:

21:57:33.557 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "HTTP/1.1 401 [\r][\n]"
21:57:33.557 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "Server: Microsoft-HTTPAPI/2.0[\r][\n]"
21:57:33.557 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "WWW-Authenticate: Negotiate[\r][\n]"
21:57:33.557 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "WWW-Authenticate: Kerberos[\r][\n]"
21:57:33.557 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "WWW-Authenticate: CredSSP[\r][\n]"
21:57:33.557 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "Date: Thu, 10 Aug 2017 18:57:33 GMT[\r][\n]"
21:57:33.557 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "Connection: close[\r][\n]"
21:57:33.557 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "Content-Length: 0[\r][\n]"

NTLM scheme is not mentioned in official documentation https://learn.microsoft.com/en-us/powershell/module/Microsoft.WsMan.Management/Get-WSManInstance?view=powershell-5.1

But it says

Negotiate. Negotiate is a challenge-response scheme that negotiates with the server or proxy to determine the scheme to use for authentication. For example, this parameter value allows for negotiation to determine whether the Kerberos protocol or NTLM is used.

I'm trying to use SPNEGO schema

RegistryBuilder<AuthSchemeProvider> builder = RegistryBuilder.<AuthSchemeProvider>create().register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory());

But at the end, it fails https://pastebin.com/gGNEHGpx So it looks like NTLM is sub-mechanism of SPNEGO, but how to use it correctly with Apache http-client?

Upvotes: 0

Views: 3524

Answers (2)

markgamache
markgamache

Reputation: 456

Negotiate implies Kerberos or NTLM. https://blogs.technet.microsoft.com/tristank/2006/08/02/two-easy-ways-to-pick-kerberos-from-ntlm-in-an-http-capture/

Upvotes: 1

John
John

Reputation: 464

I found a SpNegoNTLMSchemeFactory that works correctly with WinRm https://gist.github.com/moberwasserlechner/4690931

JCIFSEngine.java == apache NTLMEngineImpl.java SpNegoNTLMSchemeFactory.java == apache NTLMSchemeFactory.java

SpNegoNTLMScheme.java != apache NTLMScheme.java But the only difference here is

  @Override
  public String getSchemeName() {
    return AuthSchemes.SPNEGO; //<- apache class return NTLM here
  }


  @Override
  public Header authenticate(final Credentials credentials, final HttpRequest request) throws AuthenticationException {
    ...
    buffer.append(": ");
    buffer.append(getSchemeName().toUpperCase());  //<- apache class return NTLM here
    buffer.append(" ");
    buffer.append(response);
    return new BufferedHeader(buffer);
  }

Upvotes: 0

Related Questions