HTTP "Negotiate" authentication via NTLM from a Java SE6 client on Windows

Question

Does anyone know if a Java 6 client running on Windows is able to authenticate via NTLM when accessing a Microsoft server that implements the SPNEGO authentication protocol?

My understanding is that Java 6 running on Windows has built-in support for SPNEGO, but it seems that the Java implementation does not attempt NTLM authentication in the event kerberos authentication is not possible. The Authenticator example provided in the Sun docs fails with a 401 Unauthorized error in response to the server sending WWW-Authenticate: Negotiate.

Here is a description of the test environment:

Target Server:

• Windows 2008 R2 standalone server (not part of AD domain)
• Microsoft SOAP service implemented using WCF
• WCF is configured for SPNEGO authentication (kerberos and NTLM)
• WCF server cannot be reconfigured to support other auth modes :(

Client Machine:

• Windows 7 64-bit standalone workstation (not part of a domain)
• Java SE6 client running the Sun SPNEGO example

The ultimate goal is to use Apache CXF 2.4.0 to invoke SOAP services on the WCF server. Before adding in the complexities of CXF and SOAP I have been trying to retrieve the WSDL from the server using a simple Java test application to work out the authentication issues.

FWIW - I can access the WCF server from IE using the local Administrator login for the Windows server. I have also been able to create a Delphi XE SOAP client without any special authorization configuration. The Delphi SOAP client uses WinInet under the hood.

Answer 1

Java's SPNEGO is capable of Kerberos only because NTLM is a proprietary legacy MS technology. If your target machine is not part of a domain, as it is in your case, your are out of luck. You should switch to DIGEST-MD5 authentication if you can.