HttpClient 4.3.6 return "WARNING: NEGOTIATE authentication failed"
I am running HttpClient 4.3.6 in Java 6. When I run the following code, the authentication seems to be successful. The returned status code is 200. However, I get the following error in the console:
WARNING: NEGOTIATE authentication error: Invalid name (Engine level: Could not load configuration file C: \ Windows \ krb5.ini (System cannot find the file specified))
How do I resolve this warning?
CloseableHttpClient httpclient = HttpClients.createDefault();
HttpContext localContext = new BasicHttpContext();
HttpGet method = new HttpGet(url);
CredentialsProvider credsProvider = new BasicCredentialsProvider();
credsProvider.setCredentials(
new AuthScope(host, 80),
new NTCredentials(userid, password, host, login_domain));
localContext.setAttribute(HttpClientContext.CREDS_PROVIDER, credsProvider);
String filePath = null;
// Execute the method.
CloseableHttpResponse clientResponse = httpclient.execute(method, localContext);
HttpEntity entity = clientResponse.getEntity();
int statusCode = clientResponse.getStatusLine().getStatusCode();
if (statusCode != HttpStatus.SC_OK) {
System.err.println("Method failed: " + method.getRequestLine());
}
You need to pass a set of targeted preferred authentication schemes:
Create your httpClient like this:
PoolingHttpClientConnectionManager connPool = new PoolingHttpClientConnectionManager();
connPool.setMaxTotal(200);
connPool.setDefaultMaxPerRoute(200);
// Authentication
CredentialsProvider credsProvider = new BasicCredentialsProvider();
credsProvider.setCredentials(AuthScope.ANY, new NTCredentials(username, password, workstation, domain));
RequestConfig config = RequestConfig.custom().setTargetPreferredAuthSchemes(Arrays.asList(AuthSchemes.NTLM)).build();
CloseableHttpClient httpClient = HttpClients.custom().setConnectionManager(connPool).setDefaultRequestConfig(config).build();
HttpClientContext context = HttpClientContext.create();
context.setCredentialsProvider(credsProvider);
Yes, I believe your authentication was actually successful and is probably just falling back to NTLM from Kerberos. My code is similar to yours, and in my application I am connecting to SharePoint using HttpClient 4.3.5 in Java 7. When SharePoint is set to "Negotiate" ("Attempting Kerberos and then migrating to NTLM"), I see a similar error for what you reported in the generated HttpClient protocol, specifically:
Selected authentication options: [NEGOTIATE, NTLM]
Executing request GET /my/personal/user2/_api/web?$select=ServerRelativeUrl HTTP/1.1
Target auth state: CHALLENGED
Generating response to an authentication challenge using Negotiate scheme
init XXX.XXX.XXX.XXX:80
NEGOTIATE authentication error: org.ietf.jgss.GSSException, major code: 11, minor code: 0
major string: General failure, unspecified at GSSAPI level
minor string: Desired initLifetime zero or less
Generating response to an authentication challenge using ntlm scheme
After that, it successfully authenticates through NTLM. So, I read this error message: "Kerberos does not work, we will now use NTLM". As long as you get a 200 response, you should be good to go.
Are you sure the authentication succeeds if the website has Negotiate installed (try Kerbero then switch to NTLM). BASIC authentication probably won't succeed.