NTLM fails when consuming SharePoint web service from Java?

3
votes

I have a Java client that consumes SharePoint 2010 standard web services (sitedata.asmx, permissions.asmx, etc) written with JAX-WS implementation from the JDK 6.

So far, authentication is done with NTLM using a custom Authenticator implementation and Authenticator.setDefault(...) approach.

When running on my test environment which has only one SharePoint server, it works fine. I can see all the NTLM negotiation using WireShark.

But, if running on a costumer which has multiple servers, hardware load balancing and multiple SharePoint alternate access mappings I get Error 401 Unauthorized from the web service calls. I haven't had a chance to use WireShark to debug on that environment.

I run my client from a Windows machine (on the costumer setup), so according to Java documentation it should be fine for NTLM. Also, I used the default URL from SharePoint to access the web services (not the load balanced URLs).

The machine running the client application, is not a SharePoint server. It has Windows Integrated Authentication with NTLM configured.

Also, due SharePoint administration policies, I´m unable to access SharePoint Central Administration or do any change to the configuration (nor IIS).

I want to ask if anyone knows what the issue may be? And hopefully if anyone knows how to fix it?

Thanks in advance.

EDIT:

It´s important to mention, that the same permission levels were granted on both environments.

2
javaweb-servicessharepoint-2010jax-wsntlm
Forgot to mention, the requests are sent over HTTPS.jmend

2 Answers

4
votes

Well, finally I had a chance to use WireShark on the costumer environment.

First I noticed they have NTLM v2 configured, but that's OK since Java 1.6 supports it.

Then I saw that since Windows Integrated Authentication is enabled, the current logged user credentials are sent instead of the ones configured on the code. Since logged user has no permissions on SharePoint, I received 401 Unauthorized.

According to Java documentation this is the normal behavior

In fact, if you are running on a Windows machine as a domain user, or, you are running on a Linux or Solaris machine that has already issued the kinit command and got the credential cache. The class MyAuthenticator will be completely ignored ..... which shows the username and password are not consulted. This is the so-called Single Sign-On.

I hope someone can answer this question since I think that's exactly what I need.

Finally, I observed that with HTTP first Windows credentials will be tried, and on failure the credentials provided by the code will be used instead. Thus, everything works fine.

When using HTTPS, only Windows credentials will be used, so I always got 401 Unauthorized.

Not sure what the causes the difference between HTTP and HTTPS.

0
votes

You have to disable the tranparent authentication in java. you can do this either by dropping in a custom rt.jar or using reflection to modify the java classes.

tryTransparentNTLMServer and tryTransparentNTLMProxy are the fields in the HttpURLConnection which you need to set accessible and then to false when using the reflection method. Obviously just change this class if your making your own rt.jar