Java - Integrated Windows Authentication - NTLM Authentication Forwarding

[Will]

We have a java web application that calls web services on other
machines (SOA). The browser authenticates to IIS using Integrated
Windows Authentication (IWA) using the NTLM protocol to the web
application. The web services require the same type of authentication,
but we are unable to forward the credetials from the web application
(received from the browser) to the web service calls. The calls fail
with a HTTP 401 error.

We are using Apache Jakarta Commons HttpClient. It has parameters to
forward the NTLM info, however the password is required... and that is
unattainable, without prompting the user... which we do not wish to do.
..NET has the ability to forward the credentials via the
System.Net.CredentialCache.DefaultCredentials object, without actually
needing access to the password.

The customer will not change the authentication architecture. Can this
nut be cracked with Java. They do not wish to run IIS or the Java
Application Server as a valid domain user either.

 

[buunguyen]

Does NTLM require a password to be sent along? Anyway, I think you need
to do some JNI to obtain the current Windows credential.

 

[Will]

The interface to the Java HTTP clients that can authenticate via
IWA/NTLM to IIS require a password to be passed into the API unless
there is a Java HTTP client that doesn't. Do you know of one?

How would the windows credentials be propogated to Java into an HTTP
client via JNI? I don't think there is a way to query LDAP/Active
Directory for a user password. The passwords are stored as a one-way
hash.

 

[gtcc2009]

Will, you will need to use JNI to get the Windows credential via the
SSPI Windows APIs. I've never worked with it to give you more insight
advices.

Hope it helps.

 

[buunguyen]

I meant you use JNI to get all the necessary Windows credentials, then
pass them as parameters to the HTTP request of your HTTP client.

 

[Will]

Thanks. I'll check out the SSPI API.