[jcifs] Using jcifs to validate users against NT

Allen, Michael B (RSCH) Michael_B_Allen at ml.com
Wed Apr 3 11:18:47 EST 2002 

> -----Original Message-----
> From:	Pugsley, Jason [SMTP:Jason.Pugsley at team.telstra.com]
> Sent:	Tuesday, April 02, 2002 7:43 PM
> To:	'Michael B.Allen'; Tolman-Kevin
> Cc:	jcifs at lists.samba.org
> Subject:	RE: [jcifs] Using jcifs to validate users against NT
> 
> Hi,
> 
> Somewhat off topic to this discussion, but I've been working on a similar
> task. I'm using tomcat and jcifs, but in a slightly different way. My users
> are on the company intranet, and (because of company policy) use Internet
> Explorer by default. Many of the company's web sites started using NTLM
> authentication between the users' IE and web site's IIS servers. I've been
> using Java and Tomcat on a Solaris box but I wanted the same transparent
> logon for my users.
> 
> I created a new authentication class in Tomcat, a new class in jcifs, and
> some modifications to some jcifs classes. The logon process goes something
> like this:
> . Web browser requests web page
> . Web server checks if user is already authenticated, bypasses rest is they
> are.
> . Create a Tomcat session to persist jcifs data
> . Create the UniAddress objects for PDC and BDC
> . Send response to browser saying Authenticate with NTLM
> . Browser sends domain and host information
> . Server connects to PDC or BDC with SmbTransport.getSmbTransport(dc, port)
> . Send response to browser including transport.server.encryptionKey
> . Browser sends domain, host and username as well as encoded LM and NT
> passwords
>  Server sends username, encoded LM and NT passwords and domain to
> transport.getSmbSession()
> . If SmbAuthException or SmbException is thrown, reject logon otherwise
> accept user
> 
	Well this sounds interesting. But I'm not sure if I understand it exactly. Why do
	you send the encryptionKey to the browser? Does IE perform some kind of
	special authentication and if so is it specific to IE or will it work with Mozilla
	for example?

> Because the passwords from IE needed the encryptionKey from the domain
> controller, and because they then return already encoded passwords, I needed
> to modify some of the jcifs classes and create one of my own within smb to
> have access to protected package level objects (if someone knows more Java
> and a non-intrusive way to add my code please let me know).
> 
> To pass and process the already encoded passwords, I had to make additions
> to SmbComSessionSetupAndX.java, SmbSession.java, and SmbTransport.java
> 
> The changes were mostly in constructors to allow passing the 2 encoded
> passwords, and a test to skip encoding the already encoded passwords at
> wrtieParameterWordsWireFormat() in SmbComSessionSetupAndX.java
> 
> I also created SmbNTLM.java in the same package so there is a publicly
> accessible interface for Tomcat to use.
> 
> The changes are minimal, but would need more testing at someone else's site
> to be sure it works properly - I know it does for me, but my site does not
> get high traffic.
> 
> I've already mentioned this to the Tomcat developers as I thought it might
> be something other Tomcat web sites would find useful - I didn't get much of
> a response as I suspect most Tomcat developers don't work in an NT based
> intranet like me.
> 
> So, would it be appropriate to include my changes in jcifs, or is it out of
> the scope of the jcifs project. My understanding is that in order to get to
> the protected methods and data in the jcifs.smb package, my changes/classes
> need to be within that package. I can't simply create a new package outside
> jcifs and get to the innards of the jcifs classes, or am I not understanding
> something about Java.
> 
	I would be insterested in including this sort of thing in the distribution provided the
	code was sane. It has always been my intention to create some kind of jcifs.Toolkit
	class for this kind of thing. Your code might be a very nice intermediate for people
	until we can get DCE/RPC working (if we ever do). Please tell me were I can find
	information about the authentication mechanism if it is specific to IE.

	Thanks
	Mike

More information about the jcifs mailing list