JDK-8058419 : NTLM authentication does not work in Linux
  • Type: Bug
  • Component: core-libs
  • Sub-Component: java.net
  • Affected Version: 7u51
  • Priority: P4
  • Status: Open
  • Resolution: Unresolved
  • OS: linux
  • CPU: x86_64
  • Submitted: 2014-09-12
  • Updated: 2016-03-07
Related Reports
Duplicate :  
JDK-8078298 - Error authentication NTLM on jdk1.6.0_91
Description
FULL PRODUCT VERSION :
java version "1.7.0_51"
Java(TM) SE Runtime Environment (build 1.7.0_51-b13)
Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode)


ADDITIONAL OS VERSION INFORMATION :
Linux 2.6.32-220.13.1.el6.x86_64

A DESCRIPTION OF THE PROBLEM :
The NTLM authentication from Linux does not work as expected. The same code works in windows environment.

1. The sharepoint website is being accessed from java program using HttpUrlConnection which is hosted in windows and required NTLM authentication.
Sample code:
 CookieHandler.setDefault(new CookieManager(null, CookiePolicy.ACCEPT_ALL));
 Authenticator.setDefault(new MyAuthenticator(userName, password));
URL url = new URL(httpUrl);
HttpURLConnection connection =(HttpURLConnection)url.openConnection();

2. The happens when the user domain(a.company.com) is different from the sharepoint domain(exchad.company.com).
For example :
a. the  user:  a.company.com/user-id has permission setup in sharepoint on a document.
b. the user can access the sharepoint site. 
c. The java program works from windows environment.




ERROR MESSAGES/STACK TRACES THAT OCCUR :
Sep 12, 2014 9:58:56 AM sun.net.www.protocol.http.HttpURLConnection$1 run
FINEST: Requesting Authentication: host =XXXX url = http://WWW
type: SERVER ,Scheme:ntlm, Host: XXXX,prompt:,protocol:http, httpUsername :a.company.com\AAA
Sep 12, 2014 9:58:56 AM sun.net.www.protocol.http.HttpURLConnection$1 run
FINEST: Authentication returned: java.net.PasswordAuthentication@5ec7640b
NTLM Client: (h,u,t,version(v)) = (CLIENTHOST,AAA,XXXX,null(NTLMv2))
NTLM Client: Type 1 created
0000: 4E 54 4C 4D 53 53 50 00   01 00 00 00 03 B2 08 00  NTLMSSP.........
0010: 1B 00 1B 00 2C 00 00 00   0C 00 0C 00 20 00 00 00  ....,....... ...
0020: 46 41 53 54 44 4E 56 4C   31 32 37 31 4E 41 45 41  XXXXXXXXXXXXXXXX
0030: 53 54 2E 41 44 2E 4A 50   4D 4F 52 47 41 4E 43 48  XXXXXXXXXXXXXXXX
0040: 41 53 45 2E 43 4F 4D                               XXX.COM
Sep 12, 2014 9:58:56 AM sun.net.www.protocol.http.HttpURLConnection getServerAuthentication
FINER: Server Authentication for AuthenticationHeader: prefer NTLM returned sun.net.www.protocol.http.ntlm.NTLMAuthentication@74793ec9
Sep 12, 2014 9:58:56 AM sun.net.www.protocol.http.HttpURLConnection setCookieHeader
FINEST: CookieHandler request for http://WWW
Sep 12, 2014 9:58:56 AM sun.net.www.protocol.http.HttpURLConnection setCookieHeader
FINEST: Cookies retrieved: {Cookie=[]}
java.net.ProtocolException: Server redirected too many  times (20)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1636)
        at com.jpmorgan.ccb.sharepoint.examples.TestWS.testWs(TestWS.java:38)
        at com.jpmorgan.ccb.sharepoint.examples.TestWS.main(TestWS.java:17)

REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
 CookieHandler.setDefault(new CookieManager(null, CookiePolicy.ACCEPT_ALL));
 Authenticator.setDefault(new MyAuthenticator(userName, password));
URL url = new URL(httpUrl);
HttpURLConnection connection =(HttpURLConnection)url.openConnection();
---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
comment out the below line in class com.sun.security.ntlm.Client
under method public byte[] type3(byte[] type2, byte[] nonce) throws NTLMException {

     if (domainFromServer != null) {
         //   domain = domainFromServer;
     }


Note: Here since the user domain is different then the website host domain, the authentication fails only in linux.
Comments
I think the networking team should look at this first. If it turns out to be an issue in security, please transfer it back.
15-09-2014