[jcifs] Using JCIFS with JRun 4

eglass1 at attbi.com eglass1 at attbi.com
Fri Apr 18 18:36:51 EST 2003 



> > -----Original Message-----
> > From:	eglass1 at attbi.com [SMTP:eglass1 at attbi.com]
> > 
> > > But ... the password or password hashes will not be available to create
> > > an NtlmPasswordAuthentication object which would be necessary to access
> > > SmbFiles using the supplied credentials. It doesn't sound like Jason
> > > needs that but I thought I should clarify.
> > > 
> > > Mike
> > 
> > Ah.  Good point.  Although if he really wanted to go the extra mile, the
> Type 3
> > response would be available in the "Authorization" header after
> authentication;
> > I suppose he could manually parse out the hashes in a pinch.
> > 
> 	Nope. Those hashes have the 8 byte challenge of the domain
> controller factored
> 	in. The negitiation process must be performed for each server the
> user will be
> 	connecting to.
> 
> 	Mike
> 

Correct -- preselecting the server that will generate the challenge is something
that, as far as I know, you just can't do with IIS (although that is more
NetworkExplorer functionality than NtlmHttpFilter, since you would have to
reauthenticate the client against the new server).  In fact, using the
IIS-negotiated hashes is probably useless anyways, since there is a good
likelihood that they came from a server other than the web server your app
is on.  Unless your web server also happens to be a domain controller, it will
get the challenge from a DC, and that's almost certainly not where your files
reside.

This (in my opinion anyways) is one of the jCIFS "killer apps" -- the amount
of control that it provides over the authentication process is very useful, and
there isn't a real equivalent in the MS world.

On a marginally related note, we talked previously about the possibility of
using the controller for the domain sent in the Type 1 message to generate the
challenge.  I know that ended up being infeasible, due to the fact that a) it
doesn't always match the actual domain against which the client is
authenticating, and b) it is not sent by Win9x clients, and Win2K+ clients only
send it during "automatic" NTLM authentication.  But what is that field's
intended use?  The only documentation I can find indicates it is the
"OEM supplied domain"; if it isn't related to the authentication process,
why are they supplying it?

Eric

More information about the jcifs mailing list