Bug #71620 NTLM authentication for HTTP Proxy
Submitted: 7 Feb 2014 11:39 Modified: 26 Feb 2014 9:58
Reporter: Daniël van Eeden (OCA) Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Enterprise Monitor: Server Severity:S3 (Non-critical)
Version:3.0.5 OS:Any
Assigned to: CPU Architecture:Any

[7 Feb 2014 11:39] Daniël van Eeden
Description:
NTLM Authentication for the HTTP Proxy seems to fail.

Logging (replace actual proxy hostname with proxy.example.com):

Debug 	Feb 7, 2014 12:24:18 PM 	Notifying no-one, there are no waiting threads
Debug 	Feb 7, 2014 12:24:18 PM 	Should close connection in response to directive: close
Debug 	Feb 7, 2014 12:24:18 PM 	Releasing connection back to connection manager.
Debug 	Feb 7, 2014 12:24:18 PM 	Freeing connection, hostConfig=HostConfiguration[host=http://blogs.oracle.com, proxyHost=http://proxy.example.com:8080]
Debug 	Feb 7, 2014 12:24:18 PM 	Authorization challenge processed
Debug 	Feb 7, 2014 12:24:18 PM 	Proxy authentication scope: NTLM <any realm>@proxy.example.com:8080
Debug 	Feb 7, 2014 12:24:18 PM 	Proxy credentials required
Info 	Feb 7, 2014 12:24:18 PM 	Failure authenticating with NTLM <any realm>@proxy.example.com:8080
Debug 	Feb 7, 2014 12:24:18 PM 	Cookie accepted: "$Version=0; BCSI-CS-290dbe905abd0b1b=2; $Path=/"
Debug 	Feb 7, 2014 12:24:18 PM 	Authorization required
Debug 	Feb 7, 2014 12:24:18 PM 	Using authentication scheme: ntlm
Debug 	Feb 7, 2014 12:24:18 PM 	Adding Host request header
Error 	Feb 7, 2014 12:24:18 PM 	Credentials cannot be used for NTLM authentication: org.apache.commons.httpclient.UsernamePasswordCredentials
Debug 	Feb 7, 2014 12:24:18 PM 	Open connection to proxy.example.com:8080
Debug 	Feb 7, 2014 12:24:18 PM 	Retry authentication
Debug 	Feb 7, 2014 12:24:18 PM 	Should close connection in response to directive: close
Debug 	Feb 7, 2014 12:24:18 PM 	Authenticating with NTLM <any realm>@proxy.example.com:8080
Info 	Feb 7, 2014 12:24:18 PM 	ntlm authentication scheme selected
Debug 	Feb 7, 2014 12:24:18 PM 	Using authentication scheme: ntlm
Debug 	Feb 7, 2014 12:24:18 PM 	Authorization challenge processed
Debug 	Feb 7, 2014 12:24:18 PM 	Proxy authentication scope: NTLM <any realm>@proxy.example.com:8080
Debug 	Feb 7, 2014 12:24:18 PM 	Cookie accepted: "$Version=0; BCSI-CS-290dbe905abd0b1b=2; $Path=/"
Debug 	Feb 7, 2014 12:24:18 PM 	Authorization required
Debug 	Feb 7, 2014 12:24:18 PM 	Supported authentication schemes in the order of preference: [ntlm, digest, basic]
Debug 	Feb 7, 2014 12:24:17 PM 	Adding Host request header
Debug 	Feb 7, 2014 12:24:17 PM 	Allocating new connection, hostConfig=HostConfiguration[host=http://blogs.oracle.com, proxyHost=http://proxy.example.com:8080]
Debug 	Feb 7, 2014 12:24:17 PM 	Open connection to proxy.example.com:8080
Debug 	Feb 7, 2014 12:24:17 PM 	Set parameter http.authentication.credential-provider = com.mysql.etools.monitor.net.JerseyApacheHttp$MemToHttpClientAdapter@25aef5c2
Debug 	Feb 7, 2014 12:24:17 PM 	Set parameter http.socket.timeout = 60000
Debug 	Feb 7, 2014 12:24:17 PM 	HttpConnectionManager.getConnection:  config = HostConfiguration[host=http://blogs.oracle.com, proxyHost=http://proxy.example.com:8080], timeout = 0
Debug 	Feb 7, 2014 12:24:17 PM 	Set parameter http.authentication.preemptive = false
Debug 	Feb 7, 2014 12:24:09 PM 	Dispatching to definition path '/WEB-INF/tiles/layouts/default.jsp '
Debug 	Feb 7, 2014 12:24:09 PM 	Render request recieved for definition 'WhatsNew.page'

How to repeat:
Try to use a HTTP Proxy with NTLM authentication

Suggested fix:
Add NTLM authentication support.
[7 Feb 2014 11:44] Daniël van Eeden
Seems to be a privilege error
[7 Feb 2014 11:54] Daniël van Eeden
Even with the correct privileges it doesn't work.

Verified privileges with:
$ http_proxy='proxy.example.com:8080' https_proxy='proxy.example.com:8080' wget --proxy-user='DOMAIN\user' --proxy-password='secret' -O /dev/null http://oracle.com
--2014-02-07 12:50:40--  http://oracle.com/
Resolving proxy.example.com... 123.123.123.123
Connecting to proxy.example.com|123.123.123.123|:8080... connected.
Proxy request sent, awaiting response... 301 Moved Permanently
Location: http://www.oracle.com/ [following]
--2014-02-07 12:50:40--  http://www.oracle.com/
Connecting to proxy1.example.com|123.123.123.123|:8080... connected.
Proxy request sent, awaiting response... 301 Moved Permanently
Location: http://www.oracle.com/index.html [following]
--2014-02-07 12:50:41--  http://www.oracle.com/index.html
Connecting to proxy.example.com|123.123.123.123|:8080... connected.
Proxy request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: “/dev/null”

    [ <=>                                                                                                                                                 ] 36,895      --.-K/s   in 0.002s

2014-02-07 12:50:42 (14.4 MB/s) - “/dev/null” saved [36895]
[26 Feb 2014 9:58] MySQL Verification Team
Hello Daniel,

Thank you for the bug report!

Thanks,
Umesh