从Java使用SharePoint Web服务时NTLM失败了吗? [英] NTLM fails when consuming SharePoint web service from Java?
问题描述
我有一个Java客户端,它使用从JDK 6使用JAX-WS实现编写的SharePoint 2010标准Web服务(sitedata.asmx,permissions.asmx等)。
<到目前为止,身份验证是使用NTLM使用自定义
Authenticator 实现和 Authenticator.setDefault(...)完成的方法。 在我的只有一台SharePoint服务器的测试环境上运行时,它运行正常。我可以使用WireShark查看所有NTLM协商。
但是,如果在具有多个服务器,硬件负载平衡和多个SharePoint备用访问映射的客户上运行,我会收到错误401未经授权从Web服务调用。我没有机会使用WireShark来调试该环境。
我从Windows机器(在客户设置上)运行我的客户端,所以根据Java文档应该适合NTLM。此外,我使用SharePoint的默认URL来访问Web服务(而不是负载平衡的URL)。
运行客户端应用程序的计算机不是SharePoint服务器。它具有配置了NTLM的Windows集成身份验证。
此外,由于SharePoint管理策略的原因,我无法访问SharePoint管理中心或对配置进行任何更改(也不是IIS) )。
我想问一下是否有人知道这个问题是什么?并希望如果有人知道如何解决它?
提前致谢。
编辑:
重要的是,两个环境都授予相同的权限级别。
好吧,最后我有机会在costumer环境中使用WireShark。
首先我注意到他们配置了NTLM v2,但是没关系,因为Java 1.6支持它。
然后我看到,因为启用了Windows集成身份验证,所以发送当前记录的用户凭据而不是代码上配置的凭据。由于已登录的用户对SharePoint没有权限,因此我收到了401 Unauthorized。
根据 Java文档这是正常行为
实际上,如果您作为域用户在Windows计算机上运行,或者您正在已发出kinit命令并获得凭据缓存的Linux或Solaris计算机上运行。 MyAuthenticator类将被完全忽略.....
显示用户名和密码不会被查阅。这就是所谓的单点登录。
我希望有人可以回答这个问题因为我认为这正是我所需要的。
最后,我发现使用HTTP会首先尝试使用Windows凭据,如果失败,将使用代码提供的凭据。因此,一切正常。
使用HTTPS时,只会使用Windows凭据,因此我总是获得401 Unauthorized。
不确定导致HTTP和HTTPS之间差异的原因。
I have a Java client that consumes SharePoint 2010 standard web services (sitedata.asmx, permissions.asmx, etc) written with JAX-WS implementation from the JDK 6.
So far, authentication is done with NTLM using a custom Authenticator implementation and Authenticator.setDefault(...) approach.
When running on my test environment which has only one SharePoint server, it works fine. I can see all the NTLM negotiation using WireShark.
But, if running on a costumer which has multiple servers, hardware load balancing and multiple SharePoint alternate access mappings I get Error 401 Unauthorized from the web service calls. I haven't had a chance to use WireShark to debug on that environment.
I run my client from a Windows machine (on the costumer setup), so according to Java documentation it should be fine for NTLM. Also, I used the default URL from SharePoint to access the web services (not the load balanced URLs).
The machine running the client application, is not a SharePoint server. It has Windows Integrated Authentication with NTLM configured.
Also, due SharePoint administration policies, I´m unable to access SharePoint Central Administration or do any change to the configuration (nor IIS).
I want to ask if anyone knows what the issue may be? And hopefully if anyone knows how to fix it?
Thanks in advance.
EDIT:
It´s important to mention, that the same permission levels were granted on both environments.
Well, finally I had a chance to use WireShark on the costumer environment.
First I noticed they have NTLM v2 configured, but that's OK since Java 1.6 supports it.
Then I saw that since Windows Integrated Authentication is enabled, the current logged user credentials are sent instead of the ones configured on the code. Since logged user has no permissions on SharePoint, I received 401 Unauthorized.
According to Java documentation this is the normal behavior
In fact, if you are running on a Windows machine as a domain user, or, you are running on a Linux or Solaris machine that has already issued the kinit command and got the credential cache. The class MyAuthenticator will be completely ignored ..... which shows the username and password are not consulted. This is the so-called Single Sign-On.
I hope someone can answer this question since I think that's exactly what I need.
Finally, I observed that with HTTP first Windows credentials will be tried, and on failure the credentials provided by the code will be used instead. Thus, everything works fine.
When using HTTPS, only Windows credentials will be used, so I always got 401 Unauthorized.
Not sure what the causes the difference between HTTP and HTTPS.
这篇关于从Java使用SharePoint Web服务时NTLM失败了吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
