Been having some issues for a while that I cannot wrap my head around. I've set up an environment where this library works with both Kerberos and NTLM individually, but ideally I'd like the library to negotiate a connection, preferring Kerberos and using NTLM if that fails. I was under the impression that SPNEGO/Negotiate was the best way to do this, but I've only ever received the same error when using Negotiate auth scheme (paraphrased certain lines as I need to exclude some):
[I/O dispatcher 1] WARN org.apache.http.impl.nio.client.MainClientExec - NEGOTIATE authentication error: No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt))
[main] WARN org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for {http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd}WinRmService#{http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd}Create has thrown exception, unwinding now org.apache.cxf.interceptor.Fault: Could not send Message.
Caused by: java.io.IOException: Authorization loop detected on Conduit "{http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd}WinRmPort.http-conduit" on URL "http://domain-controller:5985/wsman" with realm "null"
Error: Invalid credentials or incompatible authentication schemes
As I say, I have got this all working with Kerberos by setting a realm and kdc using Java setProperty(). Negotiate is enabled in WinRM on both the client and the service. I use the exact same username and target address when running for all auth schemes attempted. Are there some other properties/setup I'm missing for Negotiate to work? Or is there another way to have it try Kerberos and NTLM?
For my use case I ideally would like to avoid setting config/variables outside of the code (such as in a krb5.conf file).
Been having some issues for a while that I cannot wrap my head around. I've set up an environment where this library works with both Kerberos and NTLM individually, but ideally I'd like the library to negotiate a connection, preferring Kerberos and using NTLM if that fails. I was under the impression that SPNEGO/Negotiate was the best way to do this, but I've only ever received the same error when using Negotiate auth scheme (paraphrased certain lines as I need to exclude some):
[I/O dispatcher 1] WARN org.apache.http.impl.nio.client.MainClientExec - NEGOTIATE authentication error: No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt))[main] WARN org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for {http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd}WinRmService#{http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd}Create has thrown exception, unwinding now org.apache.cxf.interceptor.Fault: Could not send Message.Caused by: java.io.IOException: Authorization loop detected on Conduit "{http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd}WinRmPort.http-conduit" on URL "http://domain-controller:5985/wsman" with realm "null"Error: Invalid credentials or incompatible authentication schemesAs I say, I have got this all working with Kerberos by setting a realm and kdc using Java setProperty(). Negotiate is enabled in WinRM on both the client and the service. I use the exact same username and target address when running for all auth schemes attempted. Are there some other properties/setup I'm missing for Negotiate to work? Or is there another way to have it try Kerberos and NTLM?
For my use case I ideally would like to avoid setting config/variables outside of the code (such as in a krb5.conf file).