[jcifs] NTLM Authentication and multiple domains

Allen, Michael B (RSCH) Michael_B_Allen at ml.com
Thu Mar 6 10:21:03 EST 2003 


> -----Original Message-----
> From:	eglass1 at attbi.com [SMTP:eglass1 at attbi.com]
> Sent:	Wednesday, March 05, 2003 3:56 PM
> To:	Michael B. Allen
> Cc:	jcifs at lists.samba.org; Gerald Nunn
> Subject:	Re: [jcifs] NTLM Authentication and multiple domains
> 
> 
> > On Wed, 5 Mar 2003 13:31:37 -0500 
> > Gerald Nunn <gnunn at workbrain.com> wrote:
> > 
> > > Is it possible to use the NTLM filter to handle authentication against
> > > multiple domains from the same application server? One way I was considering
> > 
> > Yes, although it's not perfectly clear to me which yes I'm answering. I
> > suspect you mean that you want to authenticate clients that might be
> > members of one of several domains.  The jCIFS client normally uses
> > the NbtAddress class to lookup the domain controller for the specified
> > domain so it inherently has this functionality. However the NtlmHttpFilter
> > uses a hardcoded domainController init-parameter to specify the domain
> > controller. I'm not sure why we did this because it is conceivable that
> > the domain could be extracted from the third NTLMSSP message and used
> > with NbtAddress to locate the appropriate domain controller.
> > 
> 
> Isn't the type-3 message a response to the type-2 challenge?  Meaning,
> wouldn't you have to get a challenge from the domain controller to create
> the type-2 message in the first place, before deriving the correct domain
> controller from the domain in the type-3 message?
> 
	Yes. I remember now this is exactly why we didn't (couldn't) extract the domain
	from the NTLMSSP negotiation.

> At one point using the domain specified in the type-1 message was proposed --
> but this is the workgroup, and not necessarily the authentication domain
> (see http://lists.samba.org/pipermail/jcifs/2002-October/001287.html for
> Mike's explanation, which also touches on why the domainController property
> is used).
> 
> > At the very least you can extract the domain from the third message
> > (note the comment in http/NtlmSsp.java line 60) and use it to lookup a
> > domain controller in a map constructed from init parameters.
> > 
> 
> I was doing something similar for awhile with the workgroup
> from the type-1 message.  Which is interesting, because authenticating
> clients against arbitrary domains with no established trust relationship
> is something IIS is unable to do.
> 
> Eric

More information about the jcifs mailing list