[jcifs] Using jcifs to validate users against NT

Pugsley, Jason Jason.Pugsley at team.telstra.com
Wed Apr 3 14:29:20 EST 2002 

Allen,

Here's a link that explains it all. http://www.innovation.ch/java/ntlm.html
It's the same authentication system that jcifs uses to authenticate/connect
to a file server, with some changes to make it work over HTTP. It's a
Microsoft thing to make logging on with IE to IIS (Internet Information
Server) more transparent. The NTLM authentication that IE uses is a little
more secure than, say, the BASIC method which only uses base64 to encode the
username and password. NTLM auth uses the same handshake as you use between
a jcifs application and the file server, only it's from IE to the file
server via a web server. As far as IE is concerned the web server and file
server are the same box as it's designed to be between IE and IIS on an NT
box. Thus IE authenticates to the web server just as if it's a pc client
connecting to an SMB file server.

In my case the web server isn't on an NT box - it's Solaris with a Java
based web server - Tomcat. That's what made jcifs the perfect choice - it's
a 100% Java solution.

When the IE browser connects to the web server, it expects to get the
encryptionKey back (the web servers sets up an smb session to the domain
controller or file server and gets an encryptionKey) so that it can encode
the passwords then send them back to the web server. Then the web server
authenticates the username and encrypted passwords back to the domain
controller/file server (in the same smb session so the encrypted passwords
are valid for the encryptionKey we got at the start).

Because IE is doing the encryption on the user's PC, we never see the plain
password, only the encrypted versions, hence the need to modify some of the
jcifs code.

I don't think this would be of much use to anyone else unless they are
working on code for a web server, web proxy, or other HTTP based service
where NTLM is used.

My computer is a bit too weak to run Mozilla, so I don't know whether or not
it can perform NTLM authentication. There's no reason why someone couldn't
add it though if it is missing that feature. I guess I could change my
Tomcat code to fall-back to BASIC authentication if NTLM isn't recognised
and pass the plain username/password combination to the domain
controller/file server.

Regards,

Jason.

-----Original Message-----
From: Allen, Michael B (RSCH) [mailto:Michael_B_Allen at ml.com]
Sent: Wednesday, April 03, 2002 11:19 AM
To: 'Pugsley, Jason'; 'Michael B.Allen'; Tolman-Kevin
Cc: jcifs at lists.samba.org
Subject: RE: [jcifs] Using jcifs to validate users against NT




> -----Original Message-----
> From:	Pugsley, Jason [SMTP:Jason.Pugsley at team.telstra.com]
> Sent:	Tuesday, April 02, 2002 7:43 PM
> To:	'Michael B.Allen'; Tolman-Kevin
> Cc:	jcifs at lists.samba.org
> Subject:	RE: [jcifs] Using jcifs to validate users against NT
> 
> Hi,
> 
> Somewhat off topic to this discussion, but I've been working on a similar
> task. I'm using tomcat and jcifs, but in a slightly different way. My
users
> are on the company intranet, and (because of company policy) use Internet
> Explorer by default. Many of the company's web sites started using NTLM
> authentication between the users' IE and web site's IIS servers. I've been
> using Java and Tomcat on a Solaris box but I wanted the same transparent
> logon for my users.
> 
> I created a new authentication class in Tomcat, a new class in jcifs, and
> some modifications to some jcifs classes. The logon process goes something
> like this:
> . Web browser requests web page
> . Web server checks if user is already authenticated, bypasses rest is
they
> are.
> . Create a Tomcat session to persist jcifs data
> . Create the UniAddress objects for PDC and BDC
> . Send response to browser saying Authenticate with NTLM
> . Browser sends domain and host information
> . Server connects to PDC or BDC with SmbTransport.getSmbTransport(dc,
port)
> . Send response to browser including transport.server.encryptionKey
> . Browser sends domain, host and username as well as encoded LM and NT
> passwords
>  Server sends username, encoded LM and NT passwords and domain to
> transport.getSmbSession()
> . If SmbAuthException or SmbException is thrown, reject logon otherwise
> accept user
> 
	Well this sounds interesting. But I'm not sure if I understand it
exactly. Why do
	you send the encryptionKey to the browser? Does IE perform some kind
of
	special authentication and if so is it specific to IE or will it
work with Mozilla
	for example?

> Because the passwords from IE needed the encryptionKey from the domain
> controller, and because they then return already encoded passwords, I
needed
> to modify some of the jcifs classes and create one of my own within smb to
> have access to protected package level objects (if someone knows more Java
> and a non-intrusive way to add my code please let me know).
> 
> To pass and process the already encoded passwords, I had to make additions
> to SmbComSessionSetupAndX.java, SmbSession.java, and SmbTransport.java
> 
> The changes were mostly in constructors to allow passing the 2 encoded
> passwords, and a test to skip encoding the already encoded passwords at
> wrtieParameterWordsWireFormat() in SmbComSessionSetupAndX.java
> 
> I also created SmbNTLM.java in the same package so there is a publicly
> accessible interface for Tomcat to use.
> 
> The changes are minimal, but would need more testing at someone else's
site
> to be sure it works properly - I know it does for me, but my site does not
> get high traffic.
> 
> I've already mentioned this to the Tomcat developers as I thought it might
> be something other Tomcat web sites would find useful - I didn't get much
of
> a response as I suspect most Tomcat developers don't work in an NT based
> intranet like me.
> 
> So, would it be appropriate to include my changes in jcifs, or is it out
of
> the scope of the jcifs project. My understanding is that in order to get
to
> the protected methods and data in the jcifs.smb package, my
changes/classes
> need to be within that package. I can't simply create a new package
outside
> jcifs and get to the innards of the jcifs classes, or am I not
understanding
> something about Java.
> 
	I would be insterested in including this sort of thing in the
distribution provided the
	code was sane. It has always been my intention to create some kind
of jcifs.Toolkit
	class for this kind of thing. Your code might be a very nice
intermediate for people
	until we can get DCE/RPC working (if we ever do). Please tell me
were I can find
	information about the authentication mechanism if it is specific to
IE.

	Thanks
	Mike

More information about the jcifs mailing list