deprecation notice. My workplace still uses the NTLM authentication scheme. We have over 600k employees so it's not a small company. If I encounter the 401 status code, "NTLM" is the only scheme that is accepted. How can I utilize the newer versions of Apache HttpClient and still handle the NTLM challenge-response? Is it possible to use an existing Java library and work directly with the headers?
I've searched stack overflow for NTLM and HttpClient deprecation but can't find anything helpful.
On
My IT infrastructure told me a few weeks ago that NTLM would soon no longer be supported as well, so I had the same concern as you recently about creating an app with SSO in a full Windows environment (Apache servers, PHP code, Edge/FF/Chrome browsers).
Although I'm still convinced that NTLM will remain in place for years, I've been looking for alternatives.
Perhaps you could try KERBEROS, depending on your environment. It could work in a similar way.
What is your working environment? I suppose a mix of Linux servers/Windows clients?
In my case, I ended up going for an ADFS server queried via OIDC (OpenId Connect) and OAuth2. SAML was also available if wanted to use it.
Does your infrastructure have an AD/LDAP server? If so, you could set up an ADFS server "quite simply". When you tell me that you manage 600k customers, I however can imagine nothing is simple.
According to the latest published javadocs for Apache HttpClient 5.4 alpha, NTLM support has not been removed yet. However, that won't be a long term solution.
The real problem here is that Microsoft is planning to kill off NTLM ... because it is no longer considered to be secure:
So, sooner or later your company is going to have to switch from NTLM to something better.
I guess you could investigate other Java HTTP client libraries to see if they intend to keep NTLM support going longer. But it strikes me as a waste of effort to convert all of your code ... as a solution to the NTLM problem. Likewise, creating and maintaining your own fork of the Apache HTTPClient library (where NTLM support continues) would be an effort sink ... assuming that you / your team had the skills to do it.
I can't see how you would do that. And assuming it is actually feasible, it would be a bad idea to roll your own NTLM implementation even if you are security expert.
In short, I don't think there are any easy solutions.