[jcifs] MAC Signing and NTLMSSP over HTTP.
Michael B Allen
mba2000 at ioplex.com
Mon Feb 14 03:24:30 GMT 2005
Christopher R. Hertel said:
> Okay, I've been digging through the docs and I can see that I'm close to a
> clue, but not quite there yet...
>
> How does SMB signing work (if at all) with NTLMSSP over HTTP?
With NTLM signatures you need the plain text equivalent hash to create the
signing digest and that is never provided by NTLMSSP so signing is not
possible in this case.
However, signatures are established after the first seccessful
SessionSetup of an authenticated user (ie. not "null" or "GUEST) and does
not change thereafter. So jCIFS just uses the default creds to setup an
initial session with signing so that the additional SessionSetups created
with NTLMSSP info are okay.
Note that it has been observed that NT4 at least (don't know about W2K+)
does not actually check the signatures in SessionSetup requests! So you
can get away with authenticating multiple sets of credentials even if the
server requires signing. The Logoff's (or any other type of request) will
generate signing errors but if you're just authenticating users who cares?
But to be on the safe side we always recommend using "preauthentication"
credentials.
Mike
More information about the jcifs
mailing list