NTLM fails when consuming SharePoint web service from Java?

Question

I have a Java client that consumes SharePoint 2010 standard web services (sitedata.asmx, permissions.asmx, etc) written with JAX-WS implementation from the JDK 6.

So

Answer 1

Well, finally I had a chance to use WireShark on the costumer environment.

First I noticed they have NTLM v2 configured, but that's OK since Java 1.6 supports it.

Then I saw that since Windows Integrated Authentication is enabled, the current logged user credentials are sent instead of the ones configured on the code. Since logged user has no permissions on SharePoint, I received 401 Unauthorized.

According to Java documentation this is the normal behavior

In fact, if you are running on a Windows machine as a domain user, or, you are running on a Linux or Solaris machine that has already issued the kinit command and got the credential cache. The class MyAuthenticator will be completely ignored ..... which shows the username and password are not consulted. This is the so-called Single Sign-On.

I hope someone can answer this question since I think that's exactly what I need.

Finally, I observed that with HTTP first Windows credentials will be tried, and on failure the credentials provided by the code will be used instead. Thus, everything works fine.

When using HTTPS, only Windows credentials will be used, so I always got 401 Unauthorized.

Not sure what the causes the difference between HTTP and HTTPS.

Answer 2

You have to disable the tranparent authentication in java. you can do this either by dropping in a custom rt.jar or using reflection to modify the java classes.

tryTransparentNTLMServer and tryTransparentNTLMProxy are the fields in the HttpURLConnection which you need to set accessible and then to false when using the reflection method. Obviously just change this class if your making your own rt.jar