我正在尝试在WsMan连接期间使用NTLM身份验证 . 但是WinRm不直接支持NTLM方案的问题 . 这是响应头:
21:57:33.557 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "HTTP/1.1 401 [\r][\n]"
21:57:33.557 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "Server: Microsoft-HTTPAPI/2.0[\r][\n]"
21:57:33.557 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "WWW-Authenticate: Negotiate[\r][\n]"
21:57:33.557 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "WWW-Authenticate: Kerberos[\r][\n]"
21:57:33.557 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "WWW-Authenticate: CredSSP[\r][\n]"
21:57:33.557 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "Date: Thu, 10 Aug 2017 18:57:33 GMT[\r][\n]"
21:57:33.557 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "Connection: close[\r][\n]"
21:57:33.557 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "Content-Length: 0[\r][\n]"
官方文件中未提及NTLM计划https://docs.microsoft.com/en-us/powershell/module/Microsoft.WsMan.Management/Get-WSManInstance?view=powershell-5.1
但它说
谈判 . 协商是一种质询 - 响应方案,它与服务器或代理协商以确定用于身份验证的方案 . 例如,此参数值允许协商以确定是否使用Kerberos协议或NTLM .
我正在尝试使用SPNEGO架构
RegistryBuilder<AuthSchemeProvider> builder = RegistryBuilder.<AuthSchemeProvider>create().register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory());
但最终,它失败https://pastebin.com/gGNEHGpx所以看起来NTLM是SPNEGO的子机制,但如何正确使用Apache http-client?
2 回答
谈判意味着Kerberos或NTLM . https://blogs.technet.microsoft.com/tristank/2006/08/02/two-easy-ways-to-pick-kerberos-from-ntlm-in-an-http-capture/
我发现一个SpNegoNTLMSchemeFactory可以正常使用WinRm https://gist.github.com/moberwasserlechner/4690931
JCIFSEngine.java == apache NTLMEngineImpl.java SpNegoNTLMSchemeFactory.java == apache NTLMSchemeFactory.java
SpNegoNTLMScheme.java!= apache NTLMScheme.java但这里唯一的区别是