ntlm with ms exchange server not working since java 1.7

Mon Oct 10 07:48:13 PDT 2011

Max [to'ed],

Does this look familiar? Is it wrong for the server to be returning 
"WWW-Authenticate: Negotiate" during NTLM handshake?

-Chris.

On 08/10/2011 14:41, Mario Ivankovits wrote:
> Hi net-devs,
>
> I hope you do not mind that I post to this list, but I hope I can
> provide enough in-depth information about the problem to justify the
> post here.
>
> Accessing a “normal” ntlm protected resource – a simple index.html in an
> protected directory on an IIS 7.5 server - the ntlm authentication works
> fine.
>
> However, trying to access the Microsoft Exchange 2010 webservice failes
> with “401 Unauthorized”.
>
> I used this few lines to debug the connection/authentication process
>
> URL url = new URL("https://exchange/ews/Services.wsdl");
>
> byte[] buf = new byte[10240];
>
> int read = url.openStream().read(buf);
>
> System.err.println(new String(buf, 0, read));
>
> This snipped works fine in java 1.6, but failes with an IOException
> (http status 401) in java 1.7.
>
> I found an interesting difference when accessing the “normal” web-page
> and the exchange webservice.
>
> When accessing the web-page, the server answers “WWW-Authenticate:
> Negotiate” just after the first 401 response which triggers the
> authentication process then. In contrast, when accessing the Exchange
> webservice the “WWW-Authenticate: Negotiate” is sent during the
> negotiation process too, which then triggers the inNegotiate flag in
> sun.net.www.protocol.http.HttpURLConnection in getInputStream and let
> the negotiation process fail.
>
> If I hack the response values and change any subsequent Negotiate to
> e.g. NegotiateXX, then the inNegotiate flag will not change and the
> authentication process will finish and authentication finally works.
>
> Here is the request/response cycle which fail then:
>
> #1: {GET /ews/Services.wsdl HTTP/1.1: null}{User-Agent:
> Java/1.7.0_02-ea}{Host: exchange }{Accept: text/html, image/gif,
> image/jpeg, *; q=.2, */*; q=.2}{Connection: keep-alive}
>
> #2: {null: HTTP/1.1 401 Unauthorized}{Server:
> Microsoft-IIS/7.5}{WWW-Authenticate: Negotiate}{WWW-Authenticate:
> NTLM}{X-Powered-By: ASP.NET}{Date: Sat, 08 Oct 2011 13:17:39
> GMT}{Content-Length: 0}
>
> #3: {GET /ews/Services.wsdl HTTP/1.1: null}{User-Agent:
> Java/1.7.0_02-ea}{Host: exchange }{Accept: text/html, image/gif,
> image/jpeg, *; q=.2, */*; q=.2}{Connection: keep-alive}{Authorization:
> NTLM MY_NTLM_DATA}
>
> #4: {null: HTTP/1.1 401 Unauthorized}{Server:
> Microsoft-IIS/7.5}{WWW-Authenticate: NTLM
> SERVER_NTLM_DATA}{WWW-Authenticate: Negotiate}{X-Powered-By:
> ASP.NET}{Date: Sat, 08 Oct 2011 13:17:39 GMT}{Content-Length: 0}
>
> Exception in thread "main" java.io.IOException: Server returned HTTP
> response code: 401 for URL: https://exchange/ews/Services.wsdl
>
> at
> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1612)
>
> at
> sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
>
> at java.net.URL.openStream(URL.java:1035)
>
> Does this make sense to you?
>
> It seems to me the “inNegotiate” handling needs a review as it does not
> work in all cases.
>
> I hope my informations are of any help to fix this issue.
>
> Ciao,
>
> Mario
>