Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is there any solid way to deal with Windows integrated (NTLM) authentication from an android app?

As the title states, we're looking for a way to access a .NET 3.5 Web service that is behind a Windows integrated (NTLM) authentication.

We've searched the internets and this forum this entire week, and we've yet to find a solution to this problem.

We've tried, DefaultHttpConnections, different variations of HttpPost, HttpGet etc.

However we try to authenticate ourselves we run into these:

    SSLHandshakeException

or

   Authentication scheme ntlm not supported
   Authentication error: Unable to respond to any of these challenges: 
   ntlm=WWW-Authenticate: NTLM, negotiate=WWW-Authenticate: Negotiate

The IIS authentication is set as follows: enter image description here

The page we're trying to access is an .aspx in a subfolder to the default site, and we dont have previliges and neither is it safe to change the authentication to the default site.

I know many others out there in the internets has similar problems.

And also, the app we're developing is not supposed to use web-views.

Any constructive pointers about how to solve this will be highly appreciated. Thanks in advance.




UPDATE: We have now changed the service to perform both basic and ntlm authentication.

When we run the code below to a localhost test-server we get the proper response, the localhost does not have any sort of authentication mechanism. The response as follows:

<soap:Body>
<FooResponse xmlns="uri:FlexAPI">
<FooResult>
<typeFooBar>
<FooNumber>4545</FooNumber>
<BarNumber>1</BarNumber>
</typeFooBar>
</FooResult>
</FooResponse>
</soap:Body>

However, When we run the code below on our authenticated server we get this.

org.xmlpull.v1.XmlPullParserException: expected: START_TAG {http://schemas.xmlsoap.org/soap/envelope/}Envelope (position:START_TAG @2:44 in java.io.InputStreamReader@4054b398)

        SoapObject request = new SoapObject(NAMESPACE, METHOD_NAME);



        request.addProperty("Foo", Bar.getText().toString());
        request.addProperty("Foo", Bar.getText().toString());
        request.addProperty("Foo", Bar() );
        request.addProperty("Foo", Bar.getText().toString());



        SoapSerializationEnvelope envelope = new SoapSerializationEnvelope(SoapEnvelope.VER11);


        envelope.dotNet = true;
        envelope.setOutputSoapObject(request);

        envelope.encodingStyle = "utf-8";
        envelope.implicitTypes = false;

        String myUrlz= "http://" + myUrl.getText().toString() +"/Foo/Bar.asmx"; 



        HttpTransportBasicAuth auth = new HttpTransportBasicAuth(myUrlz, "Foo", "Bar");

        auth.debug = true;

try
{

auth.call(SOAP_ACTION, envelope); // Fails on this line. 
System.out.println("Dump" + auth.responseDump);


// all the other stuff.....


}
catch (FooException Bar)
{

                // ¯\_(ツ)_/¯

}

So basically, we're recieveing html response instead of xml when accessing the protected service. And yes, the localhost service and the sharp service are exactly the same except for the authentication part.

like image 762
Jens Bergvall Avatar asked Aug 12 '11 07:08

Jens Bergvall


People also ask

Is NTLM the same as Windows authentication?

NTLM (New technology LAN Manager) is a proprietary Microsoft authentication protocol.

Is NTLM authentication secure?

NTLM and NTLMv2 authentication is vulnerable to various malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks.


1 Answers

The short answer is no, there is no out-of-the-box method for NTLM on android.

The long answer is that there have been successful attempts in hacking together your own solution using the Apache HttpClient. See the following links:

http://danhounshell.com/blog/android-using-ntlm-authentication-with-httpclient/ http://mrrask.wordpress.com/2009/08/21/android-authenticating-via-ntlm/

like image 83
CosmosKey Avatar answered Sep 22 '22 16:09

CosmosKey