SPNEGO Authentication via HttpClient

Question

I am trying to authenticate to a Windows server running IIS that is configured for Windows Integrated Authentication (SPNEGO) using Apache HttpClient 4.3. My code looks very similar to that of the sample code I've been able to locate online, but when I run it I consistently get an HTTP 401 returned. I ran Wireshark on the results, and do not see the SPNEGO token being passed on to the server.

I'm able to hit the protected resource just fine via a web browser, and in this case I do see the SPNEGO token. The behavior is different when I run my code, though. Here is the code in question:

public static void main(String[] args) {
    System.setProperty("java.security.krb5.conf",
            "c:\\develop\\XYZ\\KerberosTest\\conf\\krb5.conf");
    System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
    System.setProperty("java.security.auth.login.config",
            "c:\\develop\\XYZ\\KerberosTest\\conf\\login.conf");

    Credentials jaasCredentials = new Credentials() {
        public String getPassword() {
            return null;
        }

        public Principal getUserPrincipal() {
            return null;
        }
    };

    CredentialsProvider credsProvider = new BasicCredentialsProvider();
    credsProvider.setCredentials(new AuthScope(null, -1, null),
            jaasCredentials);
    Registry<AuthSchemeProvider> authSchemeRegistry = RegistryBuilder
            .<AuthSchemeProvider> create().register(AuthSchemes.SPNEGO,
                    new SPNegoSchemeFactory()).build();
    CloseableHttpClient httpclient = HttpClients.custom()
            .setDefaultAuthSchemeRegistry(authSchemeRegistry)
            .setDefaultCredentialsProvider(credsProvider).build();

    try {
        HttpGet httpget = new HttpGet(ENDPOINT);
        RequestLine requestLine = httpget.getRequestLine();
        CloseableHttpResponse response = httpclient.execute(httpget);
        try {
            StatusLine status = response.getStatusLine();
            HttpEntity entity = response.getEntity();
            if (entity != null) {
            }
            EntityUtils.consume(entity);
        } finally {
            response.close();
        }
    } catch (ClientProtocolException e) {
        e.printStackTrace();
    } catch (IOException e) {
        e.printStackTrace();
    } finally {
        try {
            httpclient.close();
        } catch (IOException e) {
            e.printStackTrace();
        }
    }
}

I believe I have configured my krb5.conf file correctly, and my login.conf file is taken directly from the Apache HttpClient documentation. I've also made the appropriate registry key change, as mentioned in the docs.

Any idea what could be causing this or how I could go about troubleshooting? Is there a step or line I am missing?

Answer 1

Problem solved. This appears to be due to a bug in IBM's JDK. Once I changed to Sun's, everything works.