[jcifs] How long is a NtlmPasswordAuthentication object valid ?

Allen, Michael B (RSCH) Michael_B_Allen at ml.com
Thu Jul 17 09:32:09 EST 2003 

This is a tricky question to answer. First some ground work:

The system gravitates to authenticating the client with each request. But as an
optimasation it stores the NtlmPasswordAuthentication object in the HttpSession. So if
on subsequent requests it happends to still be there then it will use it and skip an
additional authentication. If it is not there it will reauthenticate NTLM.

As for the hashes in the NtlmPasswordAuthentication objects they will be good for as
long as the transport to the target SMB server remains open. So if you're using an NPA
for access files on a server the transport to that server must remain open. If you're using
an NPA to authenticate against the domain controller the transport to the domain
controller must remain open. Transports automatically close after something like 15
seconds (jcifs.smb.client.soTimeout) if they are completely idle. Trying to use an NPA
with the old hases to re-authenticate with the target will fail because the server
"challenge" will be different.

Here's the tricky part. The NPA password hases should be updated *in-place* if the
client reauthenticates NTLM. So in theory the client could negotiate NTLM http
authentication from which you get an NPA object and use that to access files, named
pipes, etc. Then the transport to the target SMB server closes invalidating the NPA
password hashes because the server challenge is now wrong. Now the client makes
another request re-negotiating NTLM http authentication which updates the NPA
password hashes *in-place* and you can go about your business with the *same*
NtlmPasswordAuthenctication object.

At one time this did work like that but I haven't tested this in a while. Can you confirm
Eric?

Mike

> -----Original Message-----
> From:	Finkenzeller, Stefan [SMTP:Stefan.Finkenzeller at blb.de]
> Sent:	Wednesday, July 16, 2003 10:03 AM
> To:	jcifs at lists.samba.org
> Subject:	[jcifs] How long is a NtlmPasswordAuthentication object valid?
> 
> Hello, 
> 
> I'm using the NtlmServlet to authenticate users in a Master-Domain-Windows NT environment and it works great. But I've one question for understanding. If the NtlmServlet authenticates a user it
> stores the NtlmPasswordAuthentication object (with the unicode Hash of the user) in the servlet session and the servlet can create a valid SmbSession with this security token. 
> 
> How long is this object valid to authenticate the user again, or in other words how long will accept the domain controller his challenge?
> 
> BTW: Thanks for jCIFS. Great job. 
> 
> Best regards, 
> Stefan Finkenzeller 
>

More information about the jcifs mailing list