[jcifs] NTLM Authentication and multiple domains

[eglass1 at attbi.com]

> On Wed, 5 Mar 2003 13:31:37 -0500 
> Gerald Nunn <gnunn at workbrain.com> wrote:
> 
> > Is it possible to use the NTLM filter to handle authentication against
> > multiple domains from the same application server? One way I was considering
> 
> Yes, although it's not perfectly clear to me which yes I'm answering. I
> suspect you mean that you want to authenticate clients that might be
> members of one of several domains.  The jCIFS client normally uses
> the NbtAddress class to lookup the domain controller for the specified
> domain so it inherently has this functionality. However the NtlmHttpFilter
> uses a hardcoded domainController init-parameter to specify the domain
> controller. I'm not sure why we did this because it is conceivable that
> the domain could be extracted from the third NTLMSSP message and used
> with NbtAddress to locate the appropriate domain controller.
> 

Isn't the type-3 message a response to the type-2 challenge?  Meaning,
wouldn't you have to get a challenge from the domain controller to create
the type-2 message in the first place, before deriving the correct domain
controller from the domain in the type-3 message?

At one point using the domain specified in the type-1 message was proposed --
but this is the workgroup, and not necessarily the authentication domain
(see http://lists.samba.org/pipermail/jcifs/2002-October/001287.html for
Mike's explanation, which also touches on why the domainController property
is used).

> At the very least you can extract the domain from the third message
> (note the comment in http/NtlmSsp.java line 60) and use it to lookup a
> domain controller in a map constructed from init parameters.
> 

I was doing something similar for awhile with the workgroup
from the type-1 message.  Which is interesting, because authenticating
clients against arbitrary domains with no established trust relationship
is something IIS is unable to do.

Eric