Bug ID: JDK-8151122 ntlm authentication fails when authenticating against server in alternate domain

FULL PRODUCT VERSION :
java version "1.7.0_67"
Java(TM) SE Runtime Environment (build 1.7.0_67-b01)
Java HotSpot(TM) Client VM (build 24.65-b04, mixed mode, sharing)

java version "1.7.0_72"
Java(TM) SE Runtime Environment (build 1.7.0_72-b14)
Java HotSpot(TM) 64-Bit Server VM (build 24.72-b04, mixed mode)

java version "1.8.0_25"
Java(TM) SE Runtime Environment (build 1.8.0_25-b18)
Java HotSpot(TM) 64-Bit Server VM (build 25.25-b02, mixed mode)

java version "1.8.0_31"
Java(TM) SE Runtime Environment (build 1.8.0_31-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.31-b07, mixed mode)



ADDITIONAL OS VERSION INFORMATION :
SunOS test 5.10 Generic_150400-23 sun4u sparc SUNW,SPARC-Enterprise
Linux testimsgf1 2.6.18-406.el5 #1 SMP Fri May 1 10:37:57 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux
Microsoft Windows [Version 6.1.7601]

EXTRA RELEVANT SYSTEM CONFIGURATION :
Multi-Domain Active Directory Forest with two-way trust to additional Active Directory Forest.  Client is in one Domain, and Microsoft IIS Web Server (configured for Trusted Authentication) is in a different (trusted domain) from the 2nd forest.


A DESCRIPTION OF THE PROBLEM :
When the Windows IIS server is configured for Trusted Authentication, and has a default domain defined, the java ntlm client ignores the locally provided domain and uses the value provided by the server.  This is fundamentally wrong.  the purpose of the domain from server value is to use the domain as a default value for when the domain is not provided by the client.

com.sun.security.ntlm.Client.java

Existing code:
        String domainFromServer = r.readSecurityBuffer(12, unicode);
        if (domainFromServer != null) {
            domain = domainFromServer;
        }
        if (domain == null) {
            domain = "";
        }

Proposed fix:
        String domainFromServer = r.readSecurityBuffer(12, unicode);
        if (domainFromServer != null && (domain == null || domain.isEmpty())) {
            domain = domainFromServer;
        }
        if (domain == null) {
            domain = "";
        }


REGRESSION.  Last worked in version 6u45

ADDITIONAL REGRESSION INFORMATION: 
java version "1.6.0_45"
Java(TM) SE Runtime Environment (build 1.6.0_45-b06)
Java HotSpot(TM) Server VM (build 20.45-b01, mixed mode)


STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Create a simple HttpClient to connect via Negotiate protocol w/o a cached krb5 ticket.  Configure the Authenticator instance to use username "domain1\user" and configure the IIS Web Server authentication module to default to "domain2".  Ensure domain1 and domain2 are trusted domains (or within the same forest) in Active Directory.

Use the Oracle provided sample client from: http://docs.oracle.com/javase/7/docs/technotes/guides/net/http-auth.html



EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
the user should authenticate, and the desired web content should be returned.  
ACTUAL -
User fails to authenticate, and client throws the following stack trace:

auth-user: domain1\user
host: server.domain2.tld
port: 443
prompt:
protocol: https
scheme: ntlm
url: https://server.domain2.tld/sites/SharepointSiteName/_vti_bin/Lists.asmx?wsdl
site: server.domain2.tld/161.194.217.111
type: SERVER
auth-user: domain1\user
host: server.domain2.tld
port: 443
prompt:
protocol: https
scheme: ntlm
url: https://server.domain2.tld/sites/SharepointSiteName/_vti_bin/Lists.asmx?wsdl
site: server.domain2.tld/161.194.217.111
type: SERVER
javax.xml.ws.WebServiceException: Failed to access the WSDL at: https://server.domain2.tld/sites/SharepointSiteName/_vti_bin/Lists.asmx?wsdl. It failed with:
        Server redirected too many  times (2).
        at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.tryWithMex(RuntimeWSDLParser.java:250)
        at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:231)
        at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:194)
        at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:163)
        at com.sun.xml.internal.ws.client.WSServiceDelegate.parseWSDL(WSServiceDelegate.java:348)
        at com.sun.xml.internal.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:306)
        at com.sun.xml.internal.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:215)
        at com.sun.xml.internal.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:196)
        at com.sun.xml.internal.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:192)
        at com.sun.xml.internal.ws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:104)
        at javax.xml.ws.Service.<init>(Service.java:77)
        at com.microsoft.schemas.sharepoint.soap.Lists.<init>(Lists.java:58)
        at my.test.SharePointBase.getListsSoap(SharePointBase.java:52)
        at my.test.Main.main(Main.java:41)
Caused by: java.net.ProtocolException: Server redirected too many  times (2)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1847)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1440)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
        at java.net.URL.openStream(URL.java:1038)
        at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.createReader(RuntimeWSDLParser.java:984)
        at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.resolveWSDL(RuntimeWSDLParser.java:385)
        at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:216)
        ... 12 more
javax.xml.ws.WebServiceException: Failed to access the WSDL at: https://server.domain2.tld/sites/SharepointSiteName/_vti_bin/Lists.asmx?wsdl. It failed with:
        Server redirected too many  times (2).
        at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.tryWithMex(RuntimeWSDLParser.java:250)
        at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:231)
        at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:194)
        at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:163)
        at com.sun.xml.internal.ws.client.WSServiceDelegate.parseWSDL(WSServiceDelegate.java:348)
        at com.sun.xml.internal.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:306)
        at com.sun.xml.internal.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:215)
        at com.sun.xml.internal.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:196)
        at com.sun.xml.internal.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:192)
        at com.sun.xml.internal.ws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:104)
        at javax.xml.ws.Service.<init>(Service.java:77)
        at com.microsoft.schemas.sharepoint.soap.Lists.<init>(Lists.java:58)
        at my.test.SharePointBase.getListsSoap(SharePointBase.java:52)
        at my.test.Main.main(Main.java:41)
Caused by: java.net.ProtocolException: Server redirected too many  times (2)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1847)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1440)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
        at java.net.URL.openStream(URL.java:1038)
        at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.createReader(RuntimeWSDLParser.java:984)
        at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.resolveWSDL(RuntimeWSDLParser.java:385)
        at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:216)
        ... 12 more


ERROR MESSAGES/STACK TRACES THAT OCCUR :
javax.xml.ws.WebServiceException: Failed to access the WSDL at: https://server.domain2.tld/sites/SharepointSiteName/_vti_bin/Lists.asmx?wsdl. It failed with:
        Server redirected too many  times (2).
        at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.tryWithMex(RuntimeWSDLParser.java:250)
        at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:231)
        at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:194)
        at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:163)
        at com.sun.xml.internal.ws.client.WSServiceDelegate.parseWSDL(WSServiceDelegate.java:348)
        at com.sun.xml.internal.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:306)
        at com.sun.xml.internal.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:215)
        at com.sun.xml.internal.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:196)
        at com.sun.xml.internal.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:192)
        at com.sun.xml.internal.ws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:104)
        at javax.xml.ws.Service.<init>(Service.java:77)
        at com.microsoft.schemas.sharepoint.soap.Lists.<init>(Lists.java:58)
        at my.test.SharePointBase.getListsSoap(SharePointBase.java:52)
        at my.test.Main.main(Main.java:41)
Caused by: java.net.ProtocolException: Server redirected too many  times (2)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1847)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1440)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
        at java.net.URL.openStream(URL.java:1038)
        at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.createReader(RuntimeWSDLParser.java:984)
        at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.resolveWSDL(RuntimeWSDLParser.java:385)
        at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:216)
        ... 12 more
javax.xml.ws.WebServiceException: Failed to access the WSDL at: https://server.domain2.tld/sites/SharepointSiteName/_vti_bin/Lists.asmx?wsdl. It failed with:
        Server redirected too many  times (2).
        at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.tryWithMex(RuntimeWSDLParser.java:250)
        at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:231)
        at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:194)
        at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:163)
        at com.sun.xml.internal.ws.client.WSServiceDelegate.parseWSDL(WSServiceDelegate.java:348)
        at com.sun.xml.internal.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:306)
        at com.sun.xml.internal.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:215)
        at com.sun.xml.internal.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:196)
        at com.sun.xml.internal.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:192)
        at com.sun.xml.internal.ws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:104)
        at javax.xml.ws.Service.<init>(Service.java:77)
        at com.microsoft.schemas.sharepoint.soap.Lists.<init>(Lists.java:58)
        at my.test.SharePointBase.getListsSoap(SharePointBase.java:52)
        at my.test.Main.main(Main.java:41)
Caused by: java.net.ProtocolException: Server redirected too many  times (2)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1847)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1440)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
        at java.net.URL.openStream(URL.java:1038)
        at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.createReader(RuntimeWSDLParser.java:984)
        at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.resolveWSDL(RuntimeWSDLParser.java:385)
        at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:216)
        ... 12 more


REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.net.Authenticator;
import java.net.PasswordAuthentication;
import java.net.URL;

public class RunHttpSpnego {

    static final String kuser = "username"; // your account name
    static final String kpass = password; // retrieve password for your account 

    static class MyAuthenticator extends Authenticator {
        public PasswordAuthentication getPasswordAuthentication() {
            // I haven't checked getRequestingScheme() here, since for NTLM
            // and Negotiate, the usrname and password are all the same.
            System.err.println("Feeding username and password for " + getRequestingScheme());
            return (new PasswordAuthentication(kuser, kpass.toCharArray()));
        }
    }

    public static void main(String[] args) throws Exception {
        Authenticator.setDefault(new MyAuthenticator());
        URL url = new URL(args[0]);
        InputStream ins = url.openConnection().getInputStream();
        BufferedReader reader = new BufferedReader(new InputStreamReader(ins));
        String str;
        while((str = reader.readLine()) != null)
            System.out.println(str);
    }
}
---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
there is no work-around, short of modifying the openjdk version or Client.java, making the change, and creating a custom rt.jar, then bootstrapping it into the jre.