[jcifs] NTLM Authentication and multiple domains

[Michael B. Allen]

On Wed, 5 Mar 2003 13:31:37 -0500 
Gerald Nunn <gnunn at workbrain.com> wrote:

> Is it possible to use the NTLM filter to handle authentication against
> multiple domains from the same application server? One way I was considering

Yes, although it's not perfectly clear to me which yes I'm answering. I
suspect you mean that you want to authenticate clients that might be
members of one of several domains.  The jCIFS client normally uses
the NbtAddress class to lookup the domain controller for the specified
domain so it inherently has this functionality. However the NtlmHttpFilter
uses a hardcoded domainController init-parameter to specify the domain
controller. I'm not sure why we did this because it is conceivable that
the domain could be extracted from the third NTLMSSP message and used
with NbtAddress to locate the appropriate domain controller.

At the very least you can extract the domain from the third message
(note the comment in http/NtlmSsp.java line 60) and use it to lookup a
domain controller in a map constructed from init parameters.

This code is very moduler. You can always create your own filter using
NtlmSsp.java but modifying the exiting filter would be easiest.

> doing it is by altering the code to authenticate against a different WINS
> gateway depending on the user domain, is this realistic? I realize that it
> might be possible to do this by creating two way trusts in the NT network,
> however the client is not very keen on making any changes to their
> networking infrastructure.

None of this should be necesary unless I'm not understanding your
question.

Mike

-- 
A  program should be written to model the concepts of the task it
performs rather than the physical world or a process because this
maximizes  the  potential  for it to be applied to tasks that are
conceptually  similar and, more important, to tasks that have not
yet been conceived.