ntlm with ms exchange server not working since java 1.7

Mario Ivankovits mario at datenwort.at
Sat Oct 8 06:41:42 PDT 2011 

Hi net-devs,

I hope you do not mind that I post to this list, but I hope I can provide enough in-depth information about the problem to justify the post here.


Accessing a "normal" ntlm protected resource - a simple index.html in an protected directory on an IIS 7.5 server - the ntlm authentication works fine.
However, trying to access the Microsoft Exchange 2010 webservice failes with "401 Unauthorized".

I used this few lines to debug the connection/authentication process
        URL url = new URL("https://exchange/ews/Services.wsdl");
        byte[] buf = new byte[10240];
        int read = url.openStream().read(buf);
        System.err.println(new String(buf, 0, read));

This snipped works fine in java 1.6, but failes with an IOException (http status 401) in java 1.7.


I found an interesting difference when accessing the "normal" web-page and the exchange webservice.

When accessing the web-page, the server answers "WWW-Authenticate: Negotiate" just after the first 401 response which triggers the authentication process then. In contrast, when accessing the Exchange webservice the "WWW-Authenticate: Negotiate" is sent during the negotiation process too, which then triggers the inNegotiate flag in sun.net.www.protocol.http.HttpURLConnection in getInputStream and let the negotiation process fail.
If I hack the response values and change any subsequent Negotiate to e.g. NegotiateXX, then the inNegotiate flag will not change and the authentication process will finish and authentication finally works.

Here is the request/response cycle which fail then:

#1: {GET /ews/Services.wsdl HTTP/1.1: null}{User-Agent: Java/1.7.0_02-ea}{Host: exchange }{Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2}{Connection: keep-alive}
#2: {null: HTTP/1.1 401 Unauthorized}{Server: Microsoft-IIS/7.5}{WWW-Authenticate: Negotiate}{WWW-Authenticate: NTLM}{X-Powered-By: ASP.NET}{Date: Sat, 08 Oct 2011 13:17:39 GMT}{Content-Length: 0}
#3: {GET /ews/Services.wsdl HTTP/1.1: null}{User-Agent: Java/1.7.0_02-ea}{Host: exchange }{Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2}{Connection: keep-alive}{Authorization: NTLM MY_NTLM_DATA}
#4: {null: HTTP/1.1 401 Unauthorized}{Server: Microsoft-IIS/7.5}{WWW-Authenticate: NTLM SERVER_NTLM_DATA}{WWW-Authenticate: Negotiate}{X-Powered-By: ASP.NET}{Date: Sat, 08 Oct 2011 13:17:39 GMT}{Content-Length: 0}

Exception in thread "main" java.io.IOException: Server returned HTTP response code: 401 for URL: https://exchange/ews/Services.wsdl
                at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1612)
                at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
                at java.net.URL.openStream(URL.java:1035)



Does this make sense to you?
It seems to me the "inNegotiate" handling needs a review as it does not work in all cases.

I hope my informations are of any help to fix this issue.

Ciao,
Mario
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.openjdk.java.net/pipermail/net-dev/attachments/20111008/0791c5e1/attachment.html

More information about the net-dev mailing list