NTLM authentication successful but connection not establishable


(jbi) #1

Hi there,

Our corporate proxy uses NTLM, but we are facing problems in some regions. Some regions cannot access the proxy and they get the following error message:

[DEBUG] [org.gradle.internal.resource.transport.http.HttpClientConfigurer] Using Credentials [username: apac/u1] and NTLM Credentials [user: u1, domain: APAC, workstation: w1] for authenticating against ‘proxy.corp.com:8080’ using NTLM
[DEBUG] [org.gradle.internal.resource.transport.http.HttpClientConfigurer] Using Credentials [username: apac/u1] for authenticating against ‘proxy.corp.com:8080’ using null
[DEBUG] [org.gradle.internal.resource.transport.http.HttpClientConfigurer] Using Credentials [username: apac/w1] and NTLM Credentials [user: u1, domain: APAC, workstation: w1] for authenticating against ‘proxy.corp.com:8080’ using NTLM
[DEBUG] [org.gradle.internal.resource.transport.http.HttpClientConfigurer] Using Credentials [username: apac/u1] for authenticating against ‘proxy.corp.com:8080’ using null

[DEBUG] [org.apache.http.impl.conn.PoolingHttpClientConnectionManager] Connection request: [route: {tls}->http://proxy:8080->https://plugins.gradle.org:443][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20]
[DEBUG] [org.apache.http.impl.conn.PoolingHttpClientConnectionManager] Connection leased: [id: 4][route: {tls}->http://proxy.corp.com:8080->https://plugins.gradle.org:443][total kept alive: 0; route allocated: 1 of 2; total allocated: 1 of 20]
[DEBUG] [org.apache.http.impl.execchain.MainClientExec] Opening connection {tls}->http://proxy.corp.com:8080->https://plugins.gradle.org:443
[DEBUG] [org.apache.http.impl.conn.DefaultHttpClientConnectionOperator] Connecting to proxy.corp.com/10.187.52.240:8080
[DEBUG] [org.apache.http.impl.conn.DefaultHttpClientConnectionOperator] Connection established 10.169.174.169:53294<->10.187.52.240:8080
[DEBUG] [org.apache.http.impl.auth.HttpAuthenticator] Authentication required
[DEBUG] [org.apache.http.impl.auth.HttpAuthenticator] proxy.corp.com:8080 requested authentication
[DEBUG] [org.apache.http.impl.client.ProxyAuthenticationStrategy] Authentication schemes in the order of preference: [Negotiate, Kerberos, NTLM, Digest, Basic]
[DEBUG] [org.apache.http.impl.auth.SPNegoScheme] Received challenge ‘’ from the auth server
[DEBUG] [org.apache.http.impl.client.ProxyAuthenticationStrategy] Challenge for Kerberos authentication scheme not available
[DEBUG] [org.apache.http.impl.client.ProxyAuthenticationStrategy] Challenge for Digest authentication scheme not available
[DEBUG] [org.apache.http.impl.auth.HttpAuthenticator] Selected authentication options: [NEGOTIATE, NTLM, BASIC [complete=true]]
[DEBUG] [org.apache.http.impl.conn.DefaultManagedHttpClientConnection] http-outgoing-4: Close connection
[DEBUG] [org.apache.http.impl.conn.DefaultHttpClientConnectionOperator] Connecting to proxy.corp.com/10.187.52.240:8080
[DEBUG] [org.apache.http.impl.conn.DefaultHttpClientConnectionOperator] Connection established 10.169.174.169:53295<->10.187.52.240:8080
[DEBUG] [org.apache.http.impl.auth.HttpAuthenticator] Generating response to an authentication challenge using Negotiate scheme
[DEBUG] [org.apache.http.impl.auth.SPNegoScheme] init proxy.corp.com
[WARN] [org.apache.http.impl.auth.HttpAuthenticator] NEGOTIATE authentication error: No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt))
[DEBUG] [org.apache.http.impl.auth.HttpAuthenticator] Generating response to an authentication challenge using ntlm scheme
[DEBUG] [org.apache.http.impl.auth.HttpAuthenticator] Authentication required
[DEBUG] [org.apache.http.impl.auth.HttpAuthenticator] proxy.corp.com:8080 requested authentication
[DEBUG] [org.apache.http.impl.auth.HttpAuthenticator] Authorization challenge processed
[DEBUG] [org.apache.http.impl.execchain.MainClientExec] Connection kept alive
[DEBUG] [org.apache.http.impl.auth.HttpAuthenticator] Authentication succeeded
[DEBUG] [org.apache.http.impl.execchain.MainClientExec] Tunnel to target created.
[DEBUG] [org.apache.http.conn.ssl.SSLConnectionSocketFactory] Enabled protocols: [TLSv1]
[DEBUG] [org.apache.http.conn.ssl.SSLConnectionSocketFactory] Enabled cipher suites:[…]
[DEBUG] [org.apache.http.conn.ssl.SSLConnectionSocketFactory] Starting handshake
[DEBUG] [org.apache.http.impl.conn.DefaultManagedHttpClientConnection] http-outgoing-4: Shutdown connection
[DEBUG] [org.apache.http.impl.execchain.MainClientExec] Connection discarded
[DEBUG] [org.apache.http.impl.conn.DefaultManagedHttpClientConnection] http-outgoing-4: Close connection
[DEBUG] [org.apache.http.impl.conn.PoolingHttpClientConnectionManager] Connection released: [id: 4][route: {tls}->http://proxy.corp.com:8080->https://plugins.gradle.org:443][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20]

The gradle.properties look like that (+ https with the same values):

systemProp.http.proxyHost=proxy.corp.com
systemProp.http.proxyPort=8080
systemProp.http.proxyUser=apac/u1
systemProp.http.proxyPassword=p

Analysis of log

First of all I wonder why, even if the NTLM credentials are given, other credentials are used?

[DEBUG] [org.gradle.internal.resource.transport.http.HttpClientConfigurer] Using Credentials [username: apac/u1] and NTLM Credentials [user: u1, domain: APAC, workstation: w1] for authenticating against ‘proxy.corp.com:8080’ using NTLM
[DEBUG] [org.gradle.internal.resource.transport.http.HttpClientConfigurer] Using Credentials [username: apac/u1] for authenticating against ‘proxy.corp.com:8080’ using null

The following debug message points out that validation via Negotiate (and Kerberos?) is not possible due to not valid credentials. Well, I want to use NTLM validation, so why should I care about Negotiate (and Kerberos)?

[WARN] [org.apache.http.impl.auth.HttpAuthenticator] NEGOTIATE authentication error: No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt))

Then, obviously because Negotiate and Kerberos are not working, NTLM is used. Seems like the authentication succeeds.

[DEBUG] [org.apache.http.impl.auth.HttpAuthenticator] Authentication succeeded

But in the end the connection could not be established. Why is that?

Also I wonder why Basic authentication is not tried after NTLM failure. Is it because NTLM authentication was successful and this should be enough?

And yes, I know that there are already some topics on the NTLM issue, but the solutions are not working for us:


(Gregor Kofler) #2

Is there any progress?


(jbi) #3

Unfortunately, I have been out of the project for quite some time. I solved the issue somehow but can’t remember anymore. Sorry.


(Sanket) #4

Any one has a solution for this ?