0

我正在尝试在 WsMan 连接期间使用 NTLM 身份验证。但是WinRm不直接支持NTLM方案的问题。这是响应标头:

21:57:33.557 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "HTTP/1.1 401 [\r][\n]"
21:57:33.557 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "Server: Microsoft-HTTPAPI/2.0[\r][\n]"
21:57:33.557 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "WWW-Authenticate: Negotiate[\r][\n]"
21:57:33.557 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "WWW-Authenticate: Kerberos[\r][\n]"
21:57:33.557 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "WWW-Authenticate: CredSSP[\r][\n]"
21:57:33.557 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "Date: Thu, 10 Aug 2017 18:57:33 GMT[\r][\n]"
21:57:33.557 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "Connection: close[\r][\n]"
21:57:33.557 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "Content-Length: 0[\r][\n]"

官方文档中没有提到 NTLM 方案 https://docs.microsoft.com/en-us/powershell/module/Microsoft.WsMan.Management/Get-WSManInstance?view=powershell-5.1

但它说

谈判。协商是一种质询-响应方案,它与服务器或代理协商以确定用于身份验证的方案。例如,此参数值允许协商以确定是使用 Kerberos 协议还是使用 NTLM。

我正在尝试使用 SPNEGO 模式

RegistryBuilder<AuthSchemeProvider> builder = RegistryBuilder.<AuthSchemeProvider>create().register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory());

但最后,它失败了https://pastebin.com/gGNEHGpx 所以看起来 NTLM 是 SPNEGO 的子机制,但是如何与 Apache http-client 正确使用呢?

4

2 回答 2

1

协商意味着 Kerberos 或 NTLM。https://blogs.technet.microsoft.com/tristank/2006/08/02/two-easy-ways-to-pick-kerberos-from-ntlm-in-an-http-capture/

于 2017-08-11T14:02:57.070 回答
0

我找到了一个可以与 WinRm 一起正常工作的 SpNegoNTLMSchemeFactory https://gist.github.com/moberwasserlechner/4690931

JCIFSEngine.java == apache NTLMEngineImpl.java SpNegoNTLMSchemeFactory.java == apache NTLMSchemeFactory.java

SpNegoNTLMScheme.java != apache NTLMScheme.java 但这里唯一的区别是

  @Override
  public String getSchemeName() {
    return AuthSchemes.SPNEGO; //<- apache class return NTLM here
  }


  @Override
  public Header authenticate(final Credentials credentials, final HttpRequest request) throws AuthenticationException {
    ...
    buffer.append(": ");
    buffer.append(getSchemeName().toUpperCase());  //<- apache class return NTLM here
    buffer.append(" ");
    buffer.append(response);
    return new BufferedHeader(buffer);
  }
于 2017-08-11T12:11:53.953 回答