*    certificate is not included in this chain.
 *  * The client's handshake certificates must include a set of trusted root certificates. They will
 *    be used to authenticate the server's certificate chain. Typically this is a set of well-known
 *    root certificates that is distributed with the HTTP client or its platform. It may be
 *    augmented by certificates private to an organization or service.

                ntlm = (NtlmPasswordAuthentication) ssn.getAttribute("npa-" + server);
            }
            if ( ntlm == null ) {
                resp.setHeader("WWW-Authenticate", "NTLM");
                if ( offerBasic ) {
                    resp.addHeader("WWW-Authenticate", "Basic realm=\"" + this.realm + "\"");
                }
                resp.setHeader("Connection", "close");

                ntlm = (NtlmPasswordAuthentication)ssn.getAttribute( "npa-" + server );
            }
            if( ntlm == null ) {
                resp.setHeader( "WWW-Authenticate", "NTLM" );
                if (offerBasic) {
                    resp.addHeader( "WWW-Authenticate", "Basic realm=\"" + realm + "\"");
                }
                resp.setHeader( "Connection", "close" );

//
// Kubelets use this API to obtain:
//  1. client certificates to authenticate to kube-apiserver (with the "kubernetes.io/kube-apiserver-client-kubelet" signerName).
//  2. serving certificates for TLS endpoints kube-apiserver can connect to securely (with the "kubernetes.io/kubelet-serving" signerName).
//
// This API can be used to request client certificates to authenticate to kube-apiserver
// (with the "kubernetes.io/kube-apiserver-client" signerName),

      public Authenticate() {
        client = new OkHttpClient.Builder()
            .authenticator(new Authenticator() {
              @Override public Request authenticate(Route route, Response response) throws IOException {
                if (response.request().header("Authorization") != null) {
                  return null; // Give up, we've already attempted to authenticate.
                }

        if (authenticator != null && fessConfig.getSystemPropertyAsBoolean(SPNEGO_INITIALIZED, false)) {
            return authenticator;
        }
        try {
            // set some System properties
            final SpnegoFilterConfig config = SpnegoFilterConfig.getInstance(new SpengoConfig());

            // pre-authenticate
            authenticator = new org.codelibs.spnego.SpnegoAuthenticator(config);

    {!> ../../../docs_src/security/tutorial003.py!}
    ```

!!! info
    The additional header `WWW-Authenticate` with value `Bearer` we are returning here is also part of the spec.

    Any HTTP (error) status code 401 "UNAUTHORIZED" is supposed to also return a `WWW-Authenticate` header.

    In the case of bearer tokens (our case), the value of that header should be `Bearer`.

     * 
     * @return whether any transport was still in use
     * 
     * @throws CIFSException
     * 
     */
    boolean close () throws CIFSException;


    /**
     * Authenticate arbitrary credentials represented by the
     * <tt>NtlmPasswordAuthentication</tt> object against the domain controller
     * specified by the <tt>UniAddress</tt> parameter. If the credentials are

        .code(HttpURLConnection.HTTP_PROXY_AUTH)
        .message("Preemptive Authenticate")
        .sentRequestAtMillis(-1L)
        .receivedResponseAtMillis(-1L)
        .header("Proxy-Authenticate", "OkHttp-Preemptive")
        .build()

    val authenticatedRequest =
      route.address.proxyAuthenticator
        .authenticate(route, fakeAuthChallengeResponse)

    return authenticatedRequest ?: proxyConnectRequest

a client certificate.

The following curl example shows how to authenticate to a MinIO server with client certificate and obtain STS access credentials.

```curl
curl -X POST --key private.key --cert public.crt "https://minio:9000?Action=AssumeRoleWithCertificate&Version=2011-06-15&DurationSeconds=3600"