Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8151122

ntlm authentication fails when authenticating against server in alternate domain

XMLWordPrintable

    • x86_64
    • windows_7

      FULL PRODUCT VERSION :
      java version "1.7.0_67"
      Java(TM) SE Runtime Environment (build 1.7.0_67-b01)
      Java HotSpot(TM) Client VM (build 24.65-b04, mixed mode, sharing)

      java version "1.7.0_72"
      Java(TM) SE Runtime Environment (build 1.7.0_72-b14)
      Java HotSpot(TM) 64-Bit Server VM (build 24.72-b04, mixed mode)

      java version "1.8.0_25"
      Java(TM) SE Runtime Environment (build 1.8.0_25-b18)
      Java HotSpot(TM) 64-Bit Server VM (build 25.25-b02, mixed mode)

      java version "1.8.0_31"
      Java(TM) SE Runtime Environment (build 1.8.0_31-b13)
      Java HotSpot(TM) 64-Bit Server VM (build 25.31-b07, mixed mode)



      ADDITIONAL OS VERSION INFORMATION :
      SunOS test 5.10 Generic_150400-23 sun4u sparc SUNW,SPARC-Enterprise
      Linux testimsgf1 2.6.18-406.el5 #1 SMP Fri May 1 10:37:57 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux
      Microsoft Windows [Version 6.1.7601]

      EXTRA RELEVANT SYSTEM CONFIGURATION :
      Multi-Domain Active Directory Forest with two-way trust to additional Active Directory Forest. Client is in one Domain, and Microsoft IIS Web Server (configured for Trusted Authentication) is in a different (trusted domain) from the 2nd forest.


      A DESCRIPTION OF THE PROBLEM :
      When the Windows IIS server is configured for Trusted Authentication, and has a default domain defined, the java ntlm client ignores the locally provided domain and uses the value provided by the server. This is fundamentally wrong. the purpose of the domain from server value is to use the domain as a default value for when the domain is not provided by the client.

      com.sun.security.ntlm.Client.java

      Existing code:
              String domainFromServer = r.readSecurityBuffer(12, unicode);
              if (domainFromServer != null) {
                  domain = domainFromServer;
              }
              if (domain == null) {
                  domain = "";
              }

      Proposed fix:
              String domainFromServer = r.readSecurityBuffer(12, unicode);
              if (domainFromServer != null && (domain == null || domain.isEmpty())) {
                  domain = domainFromServer;
              }
              if (domain == null) {
                  domain = "";
              }


      REGRESSION. Last worked in version 6u45

      ADDITIONAL REGRESSION INFORMATION:
      java version "1.6.0_45"
      Java(TM) SE Runtime Environment (build 1.6.0_45-b06)
      Java HotSpot(TM) Server VM (build 20.45-b01, mixed mode)


      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      Create a simple HttpClient to connect via Negotiate protocol w/o a cached krb5 ticket. Configure the Authenticator instance to use username "domain1\user" and configure the IIS Web Server authentication module to default to "domain2". Ensure domain1 and domain2 are trusted domains (or within the same forest) in Active Directory.

      Use the Oracle provided sample client from: http://docs.oracle.com/javase/7/docs/technotes/guides/net/http-auth.html



      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      the user should authenticate, and the desired web content should be returned.
      ACTUAL -
      User fails to authenticate, and client throws the following stack trace:

      auth-user: domain1\user
      host: server.domain2.tld
      port: 443
      prompt:
      protocol: https
      scheme: ntlm
      url: https://server.domain2.tld/sites/SharepointSiteName/_vti_bin/Lists.asmx?wsdl
      site: server.domain2.tld/161.194.217.111
      type: SERVER
      auth-user: domain1\user
      host: server.domain2.tld
      port: 443
      prompt:
      protocol: https
      scheme: ntlm
      url: https://server.domain2.tld/sites/SharepointSiteName/_vti_bin/Lists.asmx?wsdl
      site: server.domain2.tld/161.194.217.111
      type: SERVER
      javax.xml.ws.WebServiceException: Failed to access the WSDL at: https://server.domain2.tld/sites/SharepointSiteName/_vti_bin/Lists.asmx?wsdl. It failed with:
              Server redirected too many times (2).
              at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.tryWithMex(RuntimeWSDLParser.java:250)
              at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:231)
              at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:194)
              at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:163)
              at com.sun.xml.internal.ws.client.WSServiceDelegate.parseWSDL(WSServiceDelegate.java:348)
              at com.sun.xml.internal.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:306)
              at com.sun.xml.internal.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:215)
              at com.sun.xml.internal.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:196)
              at com.sun.xml.internal.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:192)
              at com.sun.xml.internal.ws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:104)
              at javax.xml.ws.Service.<init>(Service.java:77)
              at com.microsoft.schemas.sharepoint.soap.Lists.<init>(Lists.java:58)
              at my.test.SharePointBase.getListsSoap(SharePointBase.java:52)
              at my.test.Main.main(Main.java:41)
      Caused by: java.net.ProtocolException: Server redirected too many times (2)
              at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1847)
              at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1440)
              at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
              at java.net.URL.openStream(URL.java:1038)
              at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.createReader(RuntimeWSDLParser.java:984)
              at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.resolveWSDL(RuntimeWSDLParser.java:385)
              at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:216)
              ... 12 more
      javax.xml.ws.WebServiceException: Failed to access the WSDL at: https://server.domain2.tld/sites/SharepointSiteName/_vti_bin/Lists.asmx?wsdl. It failed with:
              Server redirected too many times (2).
              at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.tryWithMex(RuntimeWSDLParser.java:250)
              at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:231)
              at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:194)
              at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:163)
              at com.sun.xml.internal.ws.client.WSServiceDelegate.parseWSDL(WSServiceDelegate.java:348)
              at com.sun.xml.internal.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:306)
              at com.sun.xml.internal.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:215)
              at com.sun.xml.internal.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:196)
              at com.sun.xml.internal.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:192)
              at com.sun.xml.internal.ws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:104)
              at javax.xml.ws.Service.<init>(Service.java:77)
              at com.microsoft.schemas.sharepoint.soap.Lists.<init>(Lists.java:58)
              at my.test.SharePointBase.getListsSoap(SharePointBase.java:52)
              at my.test.Main.main(Main.java:41)
      Caused by: java.net.ProtocolException: Server redirected too many times (2)
              at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1847)
              at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1440)
              at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
              at java.net.URL.openStream(URL.java:1038)
              at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.createReader(RuntimeWSDLParser.java:984)
              at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.resolveWSDL(RuntimeWSDLParser.java:385)
              at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:216)
              ... 12 more


      ERROR MESSAGES/STACK TRACES THAT OCCUR :
      javax.xml.ws.WebServiceException: Failed to access the WSDL at: https://server.domain2.tld/sites/SharepointSiteName/_vti_bin/Lists.asmx?wsdl. It failed with:
              Server redirected too many times (2).
              at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.tryWithMex(RuntimeWSDLParser.java:250)
              at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:231)
              at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:194)
              at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:163)
              at com.sun.xml.internal.ws.client.WSServiceDelegate.parseWSDL(WSServiceDelegate.java:348)
              at com.sun.xml.internal.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:306)
              at com.sun.xml.internal.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:215)
              at com.sun.xml.internal.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:196)
              at com.sun.xml.internal.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:192)
              at com.sun.xml.internal.ws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:104)
              at javax.xml.ws.Service.<init>(Service.java:77)
              at com.microsoft.schemas.sharepoint.soap.Lists.<init>(Lists.java:58)
              at my.test.SharePointBase.getListsSoap(SharePointBase.java:52)
              at my.test.Main.main(Main.java:41)
      Caused by: java.net.ProtocolException: Server redirected too many times (2)
              at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1847)
              at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1440)
              at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
              at java.net.URL.openStream(URL.java:1038)
              at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.createReader(RuntimeWSDLParser.java:984)
              at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.resolveWSDL(RuntimeWSDLParser.java:385)
              at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:216)
              ... 12 more
      javax.xml.ws.WebServiceException: Failed to access the WSDL at: https://server.domain2.tld/sites/SharepointSiteName/_vti_bin/Lists.asmx?wsdl. It failed with:
              Server redirected too many times (2).
              at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.tryWithMex(RuntimeWSDLParser.java:250)
              at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:231)
              at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:194)
              at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:163)
              at com.sun.xml.internal.ws.client.WSServiceDelegate.parseWSDL(WSServiceDelegate.java:348)
              at com.sun.xml.internal.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:306)
              at com.sun.xml.internal.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:215)
              at com.sun.xml.internal.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:196)
              at com.sun.xml.internal.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:192)
              at com.sun.xml.internal.ws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:104)
              at javax.xml.ws.Service.<init>(Service.java:77)
              at com.microsoft.schemas.sharepoint.soap.Lists.<init>(Lists.java:58)
              at my.test.SharePointBase.getListsSoap(SharePointBase.java:52)
              at my.test.Main.main(Main.java:41)
      Caused by: java.net.ProtocolException: Server redirected too many times (2)
              at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1847)
              at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1440)
              at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
              at java.net.URL.openStream(URL.java:1038)
              at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.createReader(RuntimeWSDLParser.java:984)
              at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.resolveWSDL(RuntimeWSDLParser.java:385)
              at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:216)
              ... 12 more


      REPRODUCIBILITY :
      This bug can be reproduced always.

      ---------- BEGIN SOURCE ----------
      import java.io.BufferedReader;
      import java.io.InputStream;
      import java.io.InputStreamReader;
      import java.net.Authenticator;
      import java.net.PasswordAuthentication;
      import java.net.URL;

      public class RunHttpSpnego {

          static final String kuser = "username"; // your account name
          static final String kpass = password; // retrieve password for your account

          static class MyAuthenticator extends Authenticator {
              public PasswordAuthentication getPasswordAuthentication() {
                  // I haven't checked getRequestingScheme() here, since for NTLM
                  // and Negotiate, the usrname and password are all the same.
                  System.err.println("Feeding username and password for " + getRequestingScheme());
                  return (new PasswordAuthentication(kuser, kpass.toCharArray()));
              }
          }

          public static void main(String[] args) throws Exception {
              Authenticator.setDefault(new MyAuthenticator());
              URL url = new URL(args[0]);
              InputStream ins = url.openConnection().getInputStream();
              BufferedReader reader = new BufferedReader(new InputStreamReader(ins));
              String str;
              while((str = reader.readLine()) != null)
                  System.out.println(str);
          }
      }
      ---------- END SOURCE ----------

      CUSTOMER SUBMITTED WORKAROUND :
      there is no work-around, short of modifying the openjdk version or Client.java, making the change, and creating a custom rt.jar, then bootstrapping it into the jre.

            psonal Pallavi Sonal (Inactive)
            webbuggrp Webbug Group
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: