none
WSMan/Winrm returning error code 400 RRS feed

  • Question

  • I am trying to implement NTLM sealing in Java. I have taken wireshark and analysed communications sent by powershell that were encrypted, and with the help of the microsoft documentation and http://davenport.sourceforge.net/ntlm.html, I have been able to read the contents of the sealed messages. 

    I am no attempting to send my own sealed messages, and the error that I get is rather cryptic. In the event viewer, I get

    Sending HTTP error back to the client due to a transport failure.
    The HTTP status code is 400
    The error code is 5

    As I understand it, error code 5 means access is denied. Setting AllowUnencrypted=true (Client, not service) and resending the request unsealed works.

    The code that I used to decrypt the original transmissions is able to correctly decrypt my sealed message.

    POST /wsman HTTP/1.1
    Content-Length: 1058
    Content-Type: application/soap+xml; charset=UTF-8
    Host: 10.247.25.106:5985
    Connection: Keep-Alive
    User-Agent: Apache-HttpClient/4.3 (java 1.5)
    Accept-Encoding: gzip,deflate
    Authorization: Negotiate TlRMTVNTUAABAAAAMYII4gAAAAAoAAAAAAAAACgAAAAFASgKAAAADw==

    HTTP/1.1 401 
    WWW-Authenticate: Negotiate TlRMTVNTUAACAAAACAAIADgAAAA1goniel2IVW7JoyAAAAAAAAAAAMAAwABAAAAABgLwIwAAAA9jAG8AcgBwAAIACABjAG8AcgBwAAEAEABMAE8AUwBBAFIAMQAwADYABAAmAGMAbwByAHAALgBSAG8AbwB0AEQAbwBtAGEAaQBuAC4AYwBvAG0AAwA4AGwAbwBzAGEAcgAxADAANgAuAGMAbwByAHAALgBSAG8AbwB0AEQAbwBtAGEAaQBuAC4AYwBvAG0ABQAmAGMAbwByAHAALgBSAG8AbwB0AEQAbwBtAGEAaQBuAC4AYwBvAG0ABwAIAP0X8NqMUNABAAAAAA==
    Server: Microsoft-HTTPAPI/2.0
    Date: Tue, 24 Feb 2015 23:51:49 GMT
    Content-Length: 0

    POST /wsman HTTP/1.1
    Content-Length: 1316
    Content-Type: multipart/encrypted;protocol="application/HTTP-SPNEGO-session-encrypted";boundary="Encrypted Boundary"
    Host: 10.247.25.106:5985
    Connection: Keep-Alive
    User-Agent: Apache-HttpClient/4.3 (java 1.5)
    Accept-Encoding: gzip,deflate
    Authorization: Negotiate TlRMTVNTUAADAAAAGAAYAEgAAADwAPAAYAAAAAgACABQAQAAGgAaAFgBAAAAAAAAcgEAABAAEAByAQAANYKI4gUBKAoAAAAPK5H7A4CT4znwzqsgO1AJkGddOmOVoUuXQH6x32O4pEqw2zxQ+4qwDAEBAAAAAAAAYBSFBo1Q0AHp69Hf7BNThQAAAAACAAgAYwBvAHIAcAABABAATABPAFMAQQBSADEAMAA2AAQAJgBjAG8AcgBwAC4AUgBvAG8AdABEAG8AbQBhAGkAbgAuAGMAbwBtAAMAOABsAG8AcwBhAHIAMQAwADYALgBjAG8AcgBwAC4AUgBvAG8AdABEAG8AbQBhAGkAbgAuAGMAbwBtAAUAJgBjAG8AcgBwAC4AUgBvAG8AdABEAG8AbQBhAGkAbgAuAGMAbwBtAAcACAD9F/DajFDQAQAAAAAAAAAAQwBPAFIAUABhAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAI7sXtx3g4lokUDZ7xrO6V8=

    --Encrypted Boundary
    Content-Type: application/HTTP-SPNEGO-session-encrypted
    OriginalContent: type=application/soap+xml;charset=UTF-8;Length=1058
    --Encrypted Boundary
    Content-Type: application/octet-stream
    ...binary...--Encrypted Boundary--

    In this context, what exactly does error code 5 mean? Do I need to set some setting on the windows host? Is it possible that the host and I are not using the same encryption key?



    Tuesday, February 24, 2015 11:56 PM

Answers

  • For anyone who encounters a similar issue: If you are using HttpClient (at the time of this v4.4 is the most recent release) to generate the NTLM messages, it does not at present support the use of the NTLM2 key flag (known as NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY according to the microsoft spec). As a result, the headers that it generates will be rejected by the windows server you attempt to connect to.
    Thursday, February 26, 2015 9:31 PM

All replies

  • Hi Jason,

    Thank you for this inquiry. One of our team members will follow-up with you soon.

    Thanks,

    Edgar

    Wednesday, February 25, 2015 4:00 AM
    Moderator
  • Hi Jason:

    I'll need network traces as a first step to analyze this issue. Please send the network trace of failing scenario with the password that was used to authenticate to my attention to dochelp at Microsoft dot com.


    Regards, Obaid Farooqi

    Wednesday, February 25, 2015 11:36 PM
    Owner
  • Forum update:

    I am working with Jason offline through email. Once a resolution is reached, an update will be posted here.


    Regards, Obaid Farooqi

    Thursday, February 26, 2015 4:48 PM
    Owner
  • For anyone who encounters a similar issue: If you are using HttpClient (at the time of this v4.4 is the most recent release) to generate the NTLM messages, it does not at present support the use of the NTLM2 key flag (known as NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY according to the microsoft spec). As a result, the headers that it generates will be rejected by the windows server you attempt to connect to.
    Thursday, February 26, 2015 9:31 PM