Kerberos connection using HTTP Client

java authentication kerberos apache-commons-httpclient
Sergei Sokolov picture Sergei Sokolov · Mar 27, 2012 · Viewed 16.8k times · Source

I'm writing HTTP connection with Kerberos authentication. I have "HTTP/1.1 401 Unauthorized". Could you recommend me what I should check? I think there's somethink trick, but I don't see it.

May be I should set header "WWW-Authenticate" with "Negotiate"?

Thank a lot in advanced for any help and ideas.

public class ClientKerberosAuthentication {

    public static void main(String[] args) throws Exception {

        System.setProperty("java.security.auth.login.config", "login.conf");
        System.setProperty("java.security.krb5.conf", "krb5.conf");
        System.setProperty("sun.security.krb5.debug", "true");
        System.setProperty("javax.security.auth.useSubjectCredsOnly","false");

        DefaultHttpClient httpclient = new DefaultHttpClient();
        try {
           NegotiateSchemeFactory nsf = new NegotiateSchemeFactory();
           httpclient.getAuthSchemes().register(AuthPolicy.SPNEGO, nsf);            

           List<String> authpref = new ArrayList<String>();
           authpref.add(AuthPolicy.BASIC);
           authpref.add(AuthPolicy.SPNEGO);
           httpclient.getParams().setParameter(AuthPNames.PROXY_AUTH_PREF, authpref);            


           httpclient.getCredentialsProvider().setCredentials(
                  new AuthScope(null, -1, AuthScope.ANY_REALM, AuthPolicy.SPNEGO), 
                  new UsernamePasswordCredentials("myuser", "mypass"));            

           System.out.println("----------------------------------------");
           HttpUriRequest request = new HttpGet("http://localhost:8084/web-app/webdav/213/_test.docx");
           HttpResponse response = httpclient.execute(request);
           HttpEntity entity = response.getEntity();

           System.out.println("----------------------------------------");
           System.out.println(response.getStatusLine());
           System.out.println("----------------------------------------");
           if (entity != null) {
               System.out.println(EntityUtils.toString(entity));
           }
           System.out.println("----------------------------------------");

           // This ensures the connection gets released back to the manager
           EntityUtils.consume(entity);

        } finally {
           httpclient.getConnectionManager().shutdown();
        }
    }
}

Answer

Yves Martin picture Yves Martin · Jun 19, 2012

SPNEGO will not work because you use localhost as URL hostname.

Your server is configured for a set of SPNs (or at least one) beginning with HTTP/ registered on the ActiveDirectory service account. You can query them from AD thanks to setspn -l yourServiceAccount.

Your URL must use an effective server hostname known as SPN in ActiveDirectory so that Apache Http Client can negotiate a TGS for this service and send it to your server.

Related questions

Java SSO: Kerberos authentication against Active Directory

I'm still trying to find a Java based solution for SSO (running on *nix), which I can use on JBoss to authorize against an Active Directory/domain controller. I initially tried to do this via NTLM, but gave up because …

Read More
HttpClient set credentials for Kerberos authentication

I am trying to authenticate with a kerberos/HTTP host. Using Apache HttpClient as my client - and a slightly modified version of this source. My Kerberos authentication goes perfectly fine, and I wish to know how to set the …

Read More
Authenticating with Active Directory via Kerberos

I'm working on building an android application which requires different levels of authentication, and I would like to do so using Active Directory. From what I've read, using Kerberos is the way Microsoft suggests. How do I do this for …

Read More