Is there any solid way to deal with Windows integrated (NTLM) authentication from an android app?

Question

As the title states, we're looking for a way to access a .NET 3.5 Web service that is behind a Windows integrated (NTLM) authentication.

We've searched the internets and this forum this entire week, and we've yet to find a solution to this problem.

We've tried, DefaultHttpConnections, different variations of HttpPost, HttpGet etc.

However we try to authenticate ourselves we run into these:

    SSLHandshakeException

or

   Authentication scheme ntlm not supported
   Authentication error: Unable to respond to any of these challenges: 
   ntlm=WWW-Authenticate: NTLM, negotiate=WWW-Authenticate: Negotiate

The IIS authentication is set as follows: enter image description here

The page we're trying to access is an .aspx in a subfolder to the default site, and we dont have previliges and neither is it safe to change the authentication to the default site.

I know many others out there in the internets has similar problems.

And also, the app we're developing is not supposed to use web-views.

Any constructive pointers about how to solve this will be highly appreciated. Thanks in advance.

UPDATE: We have now changed the service to perform both basic and ntlm authentication.

When we run the code below to a localhost test-server we get the proper response, the localhost does not have any sort of authentication mechanism. The response as follows:

<soap:Body>
<FooResponse xmlns="uri:FlexAPI">
<FooResult>
<typeFooBar>
<FooNumber>4545</FooNumber>
<BarNumber>1</BarNumber>
</typeFooBar>
</FooResult>
</FooResponse>
</soap:Body>

However, When we run the code below on our authenticated server we get this.

org.xmlpull.v1.XmlPullParserException: expected: START_TAG {http://schemas.xmlsoap.org/soap/envelope/}Envelope (position:START_TAG @2:44 in java.io.InputStreamReader@4054b398)

        SoapObject request = new SoapObject(NAMESPACE, METHOD_NAME);



        request.addProperty("Foo", Bar.getText().toString());
        request.addProperty("Foo", Bar.getText().toString());
        request.addProperty("Foo", Bar() );
        request.addProperty("Foo", Bar.getText().toString());



        SoapSerializationEnvelope envelope = new SoapSerializationEnvelope(SoapEnvelope.VER11);


        envelope.dotNet = true;
        envelope.setOutputSoapObject(request);

        envelope.encodingStyle = "utf-8";
        envelope.implicitTypes = false;

        String myUrlz= "http://" + myUrl.getText().toString() +"/Foo/Bar.asmx"; 



        HttpTransportBasicAuth auth = new HttpTransportBasicAuth(myUrlz, "Foo", "Bar");

        auth.debug = true;

try
{

auth.call(SOAP_ACTION, envelope); // Fails on this line. 
System.out.println("Dump" + auth.responseDump);


// all the other stuff.....


}
catch (FooException Bar)
{

                // ¯\_(ツ)_/¯

}

So basically, we're recieveing html response instead of xml when accessing the protected service. And yes, the localhost service and the sharp service are exactly the same except for the authentication part.

score 1 · Accepted Answer · answered Aug 16 '11 at 14:25

1

The short answer is no, there is no out-of-the-box method for NTLM on android.

The long answer is that there have been successful attempts in hacking together your own solution using the Apache HttpClient. See the following links:

http://danhounshell.com/blog/android-using-ntlm-authentication-with-httpclient/ http://mrrask.wordpress.com/2009/08/21/android-authenticating-via-ntlm/

answered Aug 16 '11 at 14:25

CosmosKey

1,287
11
13

We tried something like this, and it partially works. It works perfectly fine to authenticate to the service if it's http. If we change it to https we get a SSLPeerUnverifiedException: No peer certificate. Is there any way to make an ugly hack to ignore if our server has a cert or not? – Jens Bergvall Aug 17 '11 at 13:18
Da_smokes, this seems to be either that you can't verify the servers cert chain or that a client cert is missing. If it's the former, then get a proper public certificate where the signing CA is in the clients keystore. If it's the latter then it will either be your code which has configured the http client to use client cert or the Samba/Apache code which might be trying to negotiate for a client cert. I haven't worked with the Samba/Apache code, but I do know how SSPI negotiates between two parties. – CosmosKey Aug 17 '11 at 14:16
If one requests to have an auth'ed and encrypted channel, SSPI will negotiate for a authentication and encryption scheme not caring which one is selected. To limit SSPI to a specific auth or encryption scheme then you normally need to specify which ones should be part of the handshake procedure. Why am I saying this, the code you have might need some guidance to which auth and encryption scheme to use. There might be a mixup here where SSL is selected for both auth and encryption. What you want is of course SSL for encryption only and NTLM for Auth. I hope this helps in troubleshooting. – CosmosKey Aug 17 '11 at 14:16
webview.postUrl(Constants.postUrl, EncodingUtils.getBytes("{"Key":"Value", "Key":"value"}", "BASE64")); – sss Oct 21 '16 at 05:11

score 0 · Answer 2 · edited May 23 '17 at 12:01

0

There is no way an Android device can have a valid NTLM token for a Windows domain it does not belong to.

The only option you have is to change the authentification mechanism on the server to something more appropriate. If you need to restrict access to the page, here are some options available to you:

Basic authentification (over http or over https)
form based authentification (over http or over https)
https with SSL certificate authentification (in Android app and server side)
public page with Oauth (over http or hhtps)
public page with OpenID (over http or hhtps)

edited May 23 '17 at 12:01

Community

1
1

answered Aug 16 '11 at 14:05

rds

26,253
19
107
134

Yes, we've looked into that and ran into a different wall. This android project is designed to be a replica of an iPhone app we've created. If we changed the mechanism from WINDOWS AUTH to anything else, our iPhone-app that that is trying to connect to the service, simply fails at authenticating. Atm we're thinking about having two different sites with the same web-service content but with different authentication mechanisms. – Jens Bergvall Aug 16 '11 at 14:21
Da_smokes, the most important bit is that you get authed I guess. Can't you run formbased and NTLM based ath the same time without breaking the iPhone app? If you can then bost the creds to the form from android to get the session auth'ed and then you redirect the app to the protected pages/web services. – CosmosKey Aug 16 '11 at 14:57

Is there any solid way to deal with Windows integrated (NTLM) authentication from an android app?

2 Answers2

Linked