NTLM authentication successful but connection not establishable

Help/Discuss
1

Hi there,

Our corporate proxy uses NTLM, but we are facing problems in some regions. Some regions cannot access the proxy and they get the following error message:

[DEBUG] [org.gradle.internal.resource.transport.http.HttpClientConfigurer] Using Credentials [username: apac/u1] and NTLM Credentials [user: u1, domain: APAC, workstation: w1] for authenticating against ‘proxy.corp.com:8080’ using NTLM
[DEBUG] [org.gradle.internal.resource.transport.http.HttpClientConfigurer] Using Credentials [username: apac/u1] for authenticating against ‘proxy.corp.com:8080’ using null
[DEBUG] [org.gradle.internal.resource.transport.http.HttpClientConfigurer] Using Credentials [username: apac/w1] and NTLM Credentials [user: u1, domain: APAC, workstation: w1] for authenticating against ‘proxy.corp.com:8080’ using NTLM
[DEBUG] [org.gradle.internal.resource.transport.http.HttpClientConfigurer] Using Credentials [username: apac/u1] for authenticating against ‘proxy.corp.com:8080’ using null

[DEBUG] [org.apache.http.impl.conn.PoolingHttpClientConnectionManager] Connection request: [route: {tls}->http://proxy:8080->https://plugins.gradle.org:443][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20]
[DEBUG] [org.apache.http.impl.conn.PoolingHttpClientConnectionManager] Connection leased: [id: 4][route: {tls}->http://proxy.corp.com:8080->https://plugins.gradle.org:443][total kept alive: 0; route allocated: 1 of 2; total allocated: 1 of 20]
[DEBUG] [org.apache.http.impl.execchain.MainClientExec] Opening connection {tls}->http://proxy.corp.com:8080->https://plugins.gradle.org:443
[DEBUG] [org.apache.http.impl.conn.DefaultHttpClientConnectionOperator] Connecting to proxy.corp.com/10.187.52.240:8080
[DEBUG] [org.apache.http.impl.conn.DefaultHttpClientConnectionOperator] Connection established 10.169.174.169:53294<->10.187.52.240:8080
[DEBUG] [org.apache.http.impl.auth.HttpAuthenticator] Authentication required
[DEBUG] [org.apache.http.impl.auth.HttpAuthenticator] proxy.corp.com:8080 requested authentication
[DEBUG] [org.apache.http.impl.client.ProxyAuthenticationStrategy] Authentication schemes in the order of preference: [Negotiate, Kerberos, NTLM, Digest, Basic]
[DEBUG] [org.apache.http.impl.auth.SPNegoScheme] Received challenge ‘’ from the auth server
[DEBUG] [org.apache.http.impl.client.ProxyAuthenticationStrategy] Challenge for Kerberos authentication scheme not available
[DEBUG] [org.apache.http.impl.client.ProxyAuthenticationStrategy] Challenge for Digest authentication scheme not available
[DEBUG] [org.apache.http.impl.auth.HttpAuthenticator] Selected authentication options: [NEGOTIATE, NTLM, BASIC [complete=true]]
[DEBUG] [org.apache.http.impl.conn.DefaultManagedHttpClientConnection] http-outgoing-4: Close connection
[DEBUG] [org.apache.http.impl.conn.DefaultHttpClientConnectionOperator] Connecting to proxy.corp.com/10.187.52.240:8080
[DEBUG] [org.apache.http.impl.conn.DefaultHttpClientConnectionOperator] Connection established 10.169.174.169:53295<->10.187.52.240:8080
[DEBUG] [org.apache.http.impl.auth.HttpAuthenticator] Generating response to an authentication challenge using Negotiate scheme
[DEBUG] [org.apache.http.impl.auth.SPNegoScheme] init proxy.corp.com
[WARN] [org.apache.http.impl.auth.HttpAuthenticator] NEGOTIATE authentication error: No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt))
[DEBUG] [org.apache.http.impl.auth.HttpAuthenticator] Generating response to an authentication challenge using ntlm scheme
[DEBUG] [org.apache.http.impl.auth.HttpAuthenticator] Authentication required
[DEBUG] [org.apache.http.impl.auth.HttpAuthenticator] proxy.corp.com:8080 requested authentication
[DEBUG] [org.apache.http.impl.auth.HttpAuthenticator] Authorization challenge processed
[DEBUG] [org.apache.http.impl.execchain.MainClientExec] Connection kept alive
[DEBUG] [org.apache.http.impl.auth.HttpAuthenticator] Authentication succeeded
[DEBUG] [org.apache.http.impl.execchain.MainClientExec] Tunnel to target created.
[DEBUG] [org.apache.http.conn.ssl.SSLConnectionSocketFactory] Enabled protocols: [TLSv1]
[DEBUG] [org.apache.http.conn.ssl.SSLConnectionSocketFactory] Enabled cipher suites:[…]
[DEBUG] [org.apache.http.conn.ssl.SSLConnectionSocketFactory] Starting handshake
[DEBUG] [org.apache.http.impl.conn.DefaultManagedHttpClientConnection] http-outgoing-4: Shutdown connection
[DEBUG] [org.apache.http.impl.execchain.MainClientExec] Connection discarded
[DEBUG] [org.apache.http.impl.conn.DefaultManagedHttpClientConnection] http-outgoing-4: Close connection
[DEBUG] [org.apache.http.impl.conn.PoolingHttpClientConnectionManager] Connection released: [id: 4][route: {tls}->http://proxy.corp.com:8080->https://plugins.gradle.org:443][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20]

The gradle.properties look like that (+ https with the same values):

systemProp.http.proxyHost=proxy.corp.com
systemProp.http.proxyPort=8080
systemProp.http.proxyUser=apac/u1
systemProp.http.proxyPassword=p

Analysis of log

First of all I wonder why, even if the NTLM credentials are given, other credentials are used?

[DEBUG] [org.gradle.internal.resource.transport.http.HttpClientConfigurer] Using Credentials [username: apac/u1] and NTLM Credentials [user: u1, domain: APAC, workstation: w1] for authenticating against ‘proxy.corp.com:8080’ using NTLM
[DEBUG] [org.gradle.internal.resource.transport.http.HttpClientConfigurer] Using Credentials [username: apac/u1] for authenticating against ‘proxy.corp.com:8080’ using null

The following debug message points out that validation via Negotiate (and Kerberos?) is not possible due to not valid credentials. Well, I want to use NTLM validation, so why should I care about Negotiate (and Kerberos)?

[WARN] [org.apache.http.impl.auth.HttpAuthenticator] NEGOTIATE authentication error: No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt))

Then, obviously because Negotiate and Kerberos are not working, NTLM is used. Seems like the authentication succeeds.

[DEBUG] [org.apache.http.impl.auth.HttpAuthenticator] Authentication succeeded

But in the end the connection could not be established. Why is that?

Also I wonder why Basic authentication is not tried after NTLM failure. Is it because NTLM authentication was successful and this should be enough?

And yes, I know that there are already some topics on the NTLM issue, but the solutions are not working for us:

2

Is there any progress?

3

Unfortunately, I have been out of the project for quite some time. I solved the issue somehow but can’t remember anymore. Sorry.

4

Any one has a solution for this ?

5

I am not sure if this will solve anyone’s problem, but it worked for me. I put the following configuration within a gradle.properties file in my USER/.gradle directory:

systemProp.http.auth.ntlm.domain=myCompany # replace with your company's domain
systemProp.http.proxyHost=0.0.0.0 # replace with your proxy's host
systemProp.http.proxyPort=8080 # replace with your proxy's port
systemProp.http.proxyUser=myUsername # replace with your username
systemProp.http.proxyPassword=myPassword # replace with your password
systemProp.http.nonProxyHosts=localhost
# Same thing for https
systemProp.https.auth.ntlm.domain=myCompany
systemProp.https.proxyHost=0.0.0.0
systemProp.https.proxyPort=8080
systemProp.https.proxyUser=myUsername
systemProp.https.proxyPassword=myPassword
systemProp.https.nonProxyHosts=localhost

The important factor for me was not using the keepAlive system property, which caused my connections to hang. I’d consider copying and pasting the above, and if you have other properties you need/want then slowly add them to the file while testing each one.