[jcifs] NTLMv2 support
alaud at rsasecurity.com
Sat Sep 27 03:04:10 EST 2003
Thanks for your reply. It helped me understand the issue better. One
question related to LMv2 and pass through authentication. You mentioned that
LMv2 without NTLMv2 might work only in pass through authentication. We use
jCIFS to validate a user credentials against a domain server. It seems that
we won't be doing pass through authentication in such a scenario. So, we may
see issues authenticating users in such cases ?
Note : Chris, thanks for the reference link on the LMv2 and NTLMv2
From: Eric [mailto:eglass1 at comcast.net]
Sent: Thursday, September 25, 2003 5:01 PM
To: Laud, Amar
Cc: 'jcifs at lists.samba.org'
Subject: Re: [jcifs] NTLMv2 support
> I am new to the jcifs and have a question regarding supporting NTLMv2. The
> latest API documentation mentions about jcifs.smb.lmCompatibility property
> which allows LMv2 response. I also stumbled on one of the archived
> which talked about LMv2 being effectively same as NTLMv2. Does anybody
> the latest plans on supporting NTLMv2 in jcifs ? Is LMv2 response enough
> work with Windows 2003 domain server configured to use NTLMv2?
jCIFS just sends the LMv2 response, rather than both the LMv2 and
NTLMv2; this should authenticate properly in *most* cases.
Cryptographically, the LMv2 and NTLMv2 responses are more or less
identical; there are, however, some semantics attached to the NTLMv2
TargetInformation structure that are difficult to reconstruct without
CIFS extended security.
Basically, the TargetInformation structure is sent in the NTLM type 2
message along with the challenge; this is normally copied verbatim into
the type 3 NTLMv2 response. Under extended security, you get a full
NTLM type 2 message, so you can do this properly.
With jCIFS, we don't do extended security currently; we just get a
challenge, and would have to "fake" an appropriate TargetInformation
structure. In many scenarios, the TargetInformation isn't checked, so
doing NTLMv2 this way works properly. I had difficulties, however, when
authenticating a user in Domain A against a machine whose primary domain
was Domain B.
Sending only the LMv2 response seems to alleviate most of these issues.
I have seen some issues authenticating against standalone servers and
with local accounts; it may be that LMv2 without NTLMv2 only works in a
passthrough scenario. More research is probably warranted. But in most
cases, it works fine. This is probably a roundabout way of answering
your question ;)
More information about the jcifs