After asking this question , I'm trying to use NegotiateStream to authenticate a Windows client on a Java server. It seems that Java does not have excellent support for the NTLM library, so I worked on the assumption that I would have to use Kerberos, Java seems to support much better (via the GSS-API).
The problem is that NegotiateStream seems to be trying to use NTLM every time. The documentation assumes that it can use either, but does not determine how it chooses. I do not see any options in the API to control which mechanism it selects. Is there any way?
I have a service principal name, and my client code is as follows:
string spn = "<service-name>/<my-pc-name>" TcpClient client = new TcpClient(server, port); NetworkStream stream = client.GetStream(); NegotiateStream neg = new NegotiateStream(stream, true); neg.AuthenticateAsClient(CredentialCache.DefaultNetworkCredentials, spn);
At the end of the server, the first set of bytes received is 22,1,0,0,59, and then "NTLMSSP", which I did not expect.
I tried several different formats for the SPN string, not sure if the correct format is there. I originally created SPN with
setspn -A <service-name>/<my-pc-name>.<domain-name> <my-user-name>
setspn -L lists it as:
TEST/<my-pc-name>.<domain-name>
Am I doing something wrong or completely misunderstanding this stuff? :)