Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Issues with GetHttp and NTLM authentication in NiFi,Consuming HTTP API with NTLM auth doesn't work

avatar
Contributor

I'm trying to consume API protected with NTLM authentication [Windows server]. I configured GetHttp process with Url of the server and username + password.

Username in a format of domain/username. I doubled checked the credentials and they are fine.

The GetHttp doesn't work and I am getting 401 [unauthorized] error from the API server.

Here's NiFi log output:

2016-11-23 17:45:22,272 WARN [Timer-Driven Process Thread-7]
o.a.http.impl.auth.HttpAuthenticator NEGOTIATE authentication error: No valid
credentials provided (Mechanism level: No valid credentials provided (Mechanism
level: Failed to find any Kerberos tgt))
2016-11-23 17:45:22,272 WARN [Timer-Driven Process Thread-7]
o.a.http.impl.auth.HttpAuthenticator NTLM authentication error: Credentials
cannot be used for NTLM authentication:
org.apache.http.auth.UsernamePasswordCredentials
2016-11-23 17:45:22,274 ERROR [Timer-Driven Process
Thread-7] o.a.nifi.processors.standard.GetHTTP
GetHTTP[id=91ce7dfd-0158-1000-1c53-cf24cf132983] received status code
401:Unauthorized from http://internal.api.ep/dosomething

I will appreciate any recommendation how to work this out.

Thank you!

1 ACCEPTED SOLUTION

avatar
Super Collaborator

Looks like gethttp does not support nt authentication from looking at the code. if you open a jira we can get it added and have a patch available.

View solution in original post

12 REPLIES 12

avatar
Super Collaborator

try adding this to the wifi bootstrap.. http.auth.ntlm.domain = your domain ..

or you can add username@domain as the user.

avatar
Contributor

Thank you! I've just tried both ways and it doesn't work. Anything else I can do?

avatar
Super Collaborator

did you add like so to nifi bootstrap

jvm.args.x(+1 the last arg)=-Dhttp.auth.ntlm.domain=hortonworks.com (replace with your domain)/

avatar
Contributor

yes, I added the line in bootstrap.conf configuration as you recommended:

http.auth.ntlm.domain=mydomain

still doesn't work

avatar
Super Collaborator

alternatively you can try entering username like so "hortonworks.com\karthik"

avatar
Contributor

Thank you! this is is exactly what I did... I tried it with domain\username, username@domain. Also changed bootstrap.conf configuration as you recommended:

http.auth.ntlm.domain=mydomain

still doesn't work...

avatar
Super Collaborator

Looks like gethttp does not support nt authentication from looking at the code. if you open a jira we can get it added and have a patch available.

avatar
Contributor

avatar
Super Collaborator

I have done the needed code changes. Unfortunately i do not have a way to test this. If i sent you the NAR with the code change, would you be able to test it. Basically, just swap out the nifi-standar-nar-x.x.x from the lib, with the one i send you. Please test it on a local, non-prod instance.