What parameters for an NTLM authentication can be automatized , and how to do it with java?

Go To StackoverFlow.com


I want to know what parameters can be automatized out of the 6 used during an NTLM authentication, which are:

"Username" - The one used to login on the Operating System's profile currently in use. -Already automatized, using System.getProperty("user.name")

"Password" - Same as the above. -Probably can't be automated, but i'm never sure till i try and ask...

"ProxyAddress" - Address of the proxy, to which the authentication is "handshaked to" in order to pass. -I already pseudo-automatized, but its fixed code, thus bad.

"ProxyPort" - The listening port on the proxy previously explained. -I already pseudo-automatized, but its fixed code, thus bad.

"Workstation" - My PC's ID in the local network or something...I'm currently using my machine's property ID, and its working, but i have no idea if its the correct value, or if there is a need for a value in the first place. -No idea how to automatize, but i know it's possible. NEED HELP

"Domain" - No idea which domain it refers to, thus no idea what value it should have...leaving it blank seems to be working... -No idea how to automatize, but i know it's possible. NEED HELP

EXTRA INFO: I'm using the HtmlClient library for the process, including authentication.

DefaultCredentialsProvider credentialProvider = (DefaultCredentialsProvider) webClient.getCredentialsProvider();
    credentialProvider.addNTLMCredentials(username, password, proxyAddress, proxyPort, workstation, domain);
2012-04-04 18:42
by XenoRo


I'm sort of assuming that you're talking about Apache HTTPClient and HTLMUnit, but I'm basing that assumption off the method signatures in the code you provided, so I apologize if I'm mistaken.

  1. For NTLM, this is the remote username, not necessarily the currently logged in user on the local host. I suspect that these are the same user in your scenario, but I did want to point that out. In that case, yes, using the user.name system property will provide the name of the currently logged in user:


    on Windows, you can also use the USERNAME environment variable:


    or you could use the com.sun.security.auth.module.NTSystem class:

    new NTSystem.getName();
  2. You cannot get the user's password. However, you may still be able to perform single signon where the user does not need to provide a password (more on that below.)

  3. The Java mechanism for specifying HTTP proxies is using the http.proxyHost system property:

    String proxyHost = System.getProperty("http.proxyHost");

    Note that you should also check the http.nonProxyHosts system property.

    Some JREs (Mac OS comes to mind immediately) will set these system properties based on the system proxy settings. If this is not set by your JRE, you will probably want to try to determine the proxy from another source. On Unix systems, you may wish to use the HTTP_PROXY environment variable. On Windows systems, you're likely best off using the ProxySelector class, as explained in this stackoverflow post.

  4. Similar to the http.proxyHost system property, the Java mechanism is with the http.proxyPort system property:

    int proxyPort = Integer.parseInt(System.getProperty("http.proxyPort"));
  5. To reliably get your hostname on Unix, you should really call gethostname(2) via JNI or exec /usr/bin/hostname, unfortunately. On Windows, you may use the COMPUTERNAME environment variable:

  6. You can get the domain name that the local machine is joined to, however (short of prompting the user), there's no way to automatically get the domain name of the machine you're authenticating to. Of course this is moot if your local workstation and the authentication target are on the same domain. Thus, on Windows, you can either use the USERDOMAIN environment variable:


    or you can use the NTSystem class:

    new NTSystem().getDomain();


As for implementing "single signon" (such that the user need not provide a password):

You may be able to perform single signon (without needing a password) by using the Java Kerberos functionality, however I was unsuccessful in this because Java requires explicit Kerberos configuration (and does not use the host's configuration) and it does not implement some ciphers required by Active Directory. (Or that's my understanding.)

You could also perform single signon with NTLM or SPNEGO (Kerberos) by using JNI to call InitializeSecurityContext and pass the resulting tokens in the WWW-Authenticate header.

2012-04-04 21:41
by Edward Thomson
Excellent answer! Helped a lot! I bow to you, sir Edward - the awesome! : - XenoRo 2012-04-09 15:10