Clever Geek Handbook

What options for NTLM authentication can be automated and how can I do it using java?

I want to know which options can be automated out of 6 used during NTLM authentication, which are:

The "username" is the one used to log into the current operating system profile. -Automated usingSystem.getProperty("user.name")

"Password" is the same as above. -The problem cannot be automated, but I'll never be sure until I try to ask ...

"ProxyAddress" is the proxy address to which authentication is "acknowledged" in order to pass. - I'm already pseudo-automated, but his fixed code is thus bad.

"ProxyPort" is the previously listening port on the proxy server. - I'm already pseudo-automated, but his fixed code is thus bad.

"Workstation" is my local network PC id or something ... I am currently using my machine id and its work, but I have no idea if it is the correct value or if there is a need for the value Firstly. -No idea how to automate, but I know it's possible. HELP IS NEEDED

"Domain" - I don’t know what domain it belongs to, so I don’t know what value it should have ... leaving it blank seems to work ... -No idea how to automate, but I know it is possible. HELP IS NEEDED

ADDITIONAL INFORMATION: I am using the HtmlClient library for a process including authentication.

DefaultCredentialsProvider credentialProvider = (DefaultCredentialsProvider) webClient.getCredentialsProvider();
    credentialProvider.addNTLMCredentials(username, password, proxyAddress, proxyPort, workstation, domain);
    webClient.setUseInsecureSSL(true);
+3


source to share


1 answer


I'm kind of assuming you're talking about Apache HTTPClient and HTLMUnit , but I'm basing that assumption on the method signatures in the code you provided, so I apologize if I'm wrong.

  • For NTLM, this is the remote username, not necessarily the current user on the local host. I suspect this is the same user in your script, but I would like to point this out. In this case, yes, using the system property user.name

    , the name of the current user will be specified:

    System.getProperty("user.name");

    on windows you can also use environment variable USERNAME

    :

    System.getEnv("USERNAME");

    or you can use the com.sun.security.auth.module.NTSystem

    class     :

    new NTSystem.getName();

  • You cannot get the user's password. However, you will still be able to perform a single-single where the user does not need to provide a password (more on that below).

  • The Java engine uses the http.proxyHost

    system property     to specify an HTTP proxy :

    String proxyHost = System.getProperty("http.proxyHost");

    Note that you must check the system property as well http.nonProxyHosts

    .

    Some JREs (Mac operating system comes to mind right away) will set these system properties based on the system's proxy settings. If this is not specified by your JRE, you probably want to try to define the proxy from another source. On Unix systems, you can use an environment variable HTTP_PROXY

    . On Windows systems, it is best to use the class ProxySelector

    as described in fooobar.com/questions/196429 / ... .

  • Like a system property http.proxyHost

    , a Java engine has a http.proxyPort

    system property     :

    int proxyPort = Integer.parseInt(System.getProperty("http.proxyPort"));

  • To reliably get your hostname on Unix you really have to call gethostname(2)

    via JNI or exec /usr/bin/hostname

    , unfortunately. On Windows, you can use an environment variable COMPUTERNAME

    :

    System.getEnv("COMPUTERNAME");

  • You can get the domain name to which the local computer is connected (without asking for a user), there is no way to automatically get the domain name of the machine you are authenticating to. Of course, this is a moot point if your local workstation and target authentication are on the same domain. Thus, on Windows, you can either use an environment variable USERDOMAIN

    :

    System.getEnv("USERDOMAIN");

    or you can use the class NTSystem

    :

    new NTSystem().getDomain();

Uf.



Regarding the implementation of "single signon" (so the user doesn't need to supply a password):

You can do a single single (no password needed) using Java Kerberos , however I have not been successful with this because Java requires explicit Kerberos configuration (and does not use host configuration) and it does not implement some of the ciphers required by Active Directory. (Or this is my understanding.)

You can also do a single entry with NTLM or SPNEGO (Kerberos) using JNI to invoke InitializeSecurityContext

and pass the resulting tokens in the header WWW-Authenticate

.

+9


source






More articles:


All Articles