Home » Android » java – Is there any solid way to deal with Windows integrated (NTLM) authentication from an android app?

java – Is there any solid way to deal with Windows integrated (NTLM) authentication from an android app?

Posted by: admin May 14, 2020 Leave a comment

Questions:

As the title states, we’re looking for a way to access a .NET 3.5 Web service that is behind a Windows integrated (NTLM) authentication.

We’ve searched the internets and this forum this entire week, and we’ve yet to find a solution to this problem.

We’ve tried, DefaultHttpConnections, different variations of HttpPost, HttpGet etc.

However we try to authenticate ourselves we run into these:

    SSLHandshakeException

or

   Authentication scheme ntlm not supported
   Authentication error: Unable to respond to any of these challenges: 
   ntlm=WWW-Authenticate: NTLM, negotiate=WWW-Authenticate: Negotiate

The IIS authentication is set as follows:
enter image description here

The page we’re trying to access is an .aspx in a subfolder to the default site, and we dont have previliges and neither is it safe to change the authentication to the default site.

I know many others out there in the internets has similar problems.

And also, the app we’re developing is not supposed to use web-views.

Any constructive pointers about how to solve this will be highly appreciated. Thanks in advance.




UPDATE: We have now changed the service to perform both basic and ntlm authentication.

When we run the code below to a localhost test-server we get the proper response, the localhost does not have any sort of authentication mechanism. The response as follows:

<soap:Body>
<FooResponse xmlns="uri:FlexAPI">
<FooResult>
<typeFooBar>
<FooNumber>4545</FooNumber>
<BarNumber>1</BarNumber>
</typeFooBar>
</FooResult>
</FooResponse>
</soap:Body>

However, When we run the code below on our authenticated server we get this.

org.xmlpull.v1.XmlPullParserException: expected:
START_TAG {http://schemas.xmlsoap.org/soap/envelope/}Envelope
(position:START_TAG @2:44 in [email protected])

        SoapObject request = new SoapObject(NAMESPACE, METHOD_NAME);



        request.addProperty("Foo", Bar.getText().toString());
        request.addProperty("Foo", Bar.getText().toString());
        request.addProperty("Foo", Bar() );
        request.addProperty("Foo", Bar.getText().toString());



        SoapSerializationEnvelope envelope = new SoapSerializationEnvelope(SoapEnvelope.VER11);


        envelope.dotNet = true;
        envelope.setOutputSoapObject(request);

        envelope.encodingStyle = "utf-8";
        envelope.implicitTypes = false;

        String myUrlz= "http://" + myUrl.getText().toString() +"/Foo/Bar.asmx"; 



        HttpTransportBasicAuth auth = new HttpTransportBasicAuth(myUrlz, "Foo", "Bar");

        auth.debug = true;

try
{

auth.call(SOAP_ACTION, envelope); // Fails on this line. 
System.out.println("Dump" + auth.responseDump);


// all the other stuff.....


}
catch (FooException Bar)
{

                // ¯\_(ツ)_/¯

}

So basically, we’re recieveing html response instead of xml when accessing the protected service. And yes, the localhost service and the sharp service are exactly the same except for the authentication part.

How to&Answers:

The short answer is no, there is no out-of-the-box method for NTLM on android.

The long answer is that there have been successful attempts in hacking together your own solution using the Apache HttpClient. See the following links:

http://danhounshell.com/blog/android-using-ntlm-authentication-with-httpclient/
http://mrrask.wordpress.com/2009/08/21/android-authenticating-via-ntlm/

Answer:

There is no way an Android device can have a valid NTLM token for a Windows domain it does not belong to.

The only option you have is to change the authentification mechanism on the server to something more appropriate. If you need to restrict access to the page, here are some options available to you:

  • Basic authentification (over http or over https)
  • form based authentification (over http or over https)
  • https with SSL certificate authentification (in Android app and server side)
  • public page with Oauth (over http or hhtps)
  • public page with OpenID (over http or hhtps)