VMware {code} Community
rangajith
Contributor
Contributor
Jump to solution

Java service + Windows authentication with external IIS webservice

Hi All,

We have web client plugin that has a UI an java dataproviders. These data providers are written to get data from  a C# REST api hosted in IIS. That API is using windows authentication to authenticate users.

Here is how we call the api in java code

final URL url = new URL(path);

  final HttpsURLConnection connection = (HttpsURLConnection) url.openConnection();

  connection.setSSLSocketFactory(ClientCertificateHelper.getSSLSocketFactory());

  connection.setHostnameVerifier(ClientCertificateHelper.getHostnameVerifier());

  connection.setRequestMethod("GET");

  connection.setUseCaches(false);

  connection.setDoOutput(true);

  connection.setInstanceFollowRedirects(true);

  final String response = getResponse(connection);

As you can see we are not explicitly setting any user for this request. What we have seen in the past is that when java data providers making calls to the C# api, it passes the domain machine account (domainname\machinename$ )as the user. (The vCenter web client service runs as "local system").  And that was working fine.

However, there is one environment that this is failing.  We are getting following error when calling the external API.

[2013-12-13 00:17:38.719] ERROR [ERROR] data-service-pool-506         System.err                                                        java.io.IOException: Authentication failure

[2013-12-13 00:17:38.719] ERROR [ERROR] data-service-pool-506         System.err                                                         at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)

[2013-12-13 00:17:38.719] ERROR [ERROR] data-service-pool-506         System.err                                                         at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)

According to IIS logs the incoming username is empty. Which means its doing anonymous requests. (Or the the authentication negotiation fails. The authentication providers order in IIS is Negotiate,NTLM ).

Could someone please give some directions to resolve this issue?

Is there a way to make this call as the logged in user for the web client?

Any help on this is really appreciated as we are stuck with this error.

-Thanks

Tags (1)
Reply
0 Kudos
1 Solution

Accepted Solutions
laurentsd
VMware Employee
VMware Employee
Jump to solution

Unfortunately you cannot swap JRE versions like that.  We still use Java 1.6 because of some of our libraries require it.  Upgrading the JRE would break things.

You need to find another way to perform user authentication, like using the samlTokenXml value I was mentioning.

View solution in original post

Reply
0 Kudos
5 Replies
laurentsd
VMware Employee
VMware Employee
Jump to solution

I am not familiar with connections to IIS services, but as far as the Web client user is concerned you can find all the information in UserSession, including samlTokenXml, the XML value of the SAML Token representing the current user. A plug-in can use that information to check the user's authentication if necessary, see the vSphere Single Sign-On documentation.

Reply
0 Kudos
rangajith
Contributor
Contributor
Jump to solution

Thanks Laurent

So we did some investigations and its looks like its the jre version ("1.6.0_37") that web client using is having this issue with long machine names. we created a test with above call and run using that JRE and it gave the same error. But with the latest version of JRE (build 1.7.0_45-b18) did not show this error.

Similar problem reported over here Java Client throws exception – while sending NTLMV2 Response from WIN7 to WIN2K8R2

Is there a way we can update the Jre version under "c:\Program Files\VMware\Infrastructure\jre\" or can we use the latest JRE somehow for the web client server?

If so would be an official supported case by vmware?

Reply
0 Kudos
laurentsd
VMware Employee
VMware Employee
Jump to solution

Unfortunately you cannot swap JRE versions like that.  We still use Java 1.6 because of some of our libraries require it.  Upgrading the JRE would break things.

You need to find another way to perform user authentication, like using the samlTokenXml value I was mentioning.

Reply
0 Kudos
rangajith
Contributor
Contributor
Jump to solution

Thanks, we will look in to that in future.

In the meantime, do you know if there are any documentation that lists JRE version used in 5.5? I see that its 1.7.0_17 by running "java -version" on "C:\Program files\Common Files\VMware\VMware vCenter Server - Java Components\bin" but wondering if there a place that this is officially documented. (Sorry for the "non-technical" question here Smiley Happy)

Reply
0 Kudos
laurentsd
VMware Employee
VMware Employee
Jump to solution

I don't know of any such documentation, you may try other forums.

Reply
0 Kudos