[jcifs] NTLM HTTP Authentication and SMB Signing

Eric eglass1 at comcast.net
Wed Apr 7 20:58:53 GMT 2004 

Paul.Holaj at dekabank.de wrote:
> Hi,
> 
> we use a Struts based web application with IE 5.5 and NTLM HTTP
> Authentication filter via JCIFS 0.8.1. 
> Our Domain Controllers were updated to Win2003Server with SMB signing
> switched on. 
> When using our application against the new DC, we get an "access denied"
> error if whe authenticate 
> more than one user (1st user succeeds, next users get 'access denied'
> error in DC response).
> 
> In the JCIFS CHANGES.TXT file I found the following passages concerning
> SMB signing:
> 
> (jcifs-0.8.0b1.)
> ...
> Only  SMBs  that  follow  authentication  need to be actually signed if
> SMB
> signing  is  enabled.  ...  However because the  NTLM  HTTP  Filter
> does  
> not send additional SMBs, signing will never actually  occur. ...
> 
> (jcifs-0.7.13)
> JCIFS  now  supports SMB signing. ...  Signing does not work with 
> NTLM HTTP authentication because  the  original  password  hashes  are  
> required to generate the MAC signing  key. ...
> 

I don't currently have an environment where I could verify this, but 
here's a scenario that might explain the observed behavior:

The first user completes the NTLM handshake on the back end and gets 
authenticated.  The server initiates signing with the session setup 
response.  We don't verify the signature from the server (since we don't 
really care, and we don't have the MAC key to actually verify it 
anyways).  The user is authenticated and goes on his merry way.

Now user number 2 comes along.  We have the challenge from the negotiate 
response already, so we send that in the Type 2.  The user sends the 
Type 3, and we try to do a session setup over the existing connection. 
However, signing has been setup on that connection already, using the 
first user's credentials.  We don't have the means to successfully 
calculate the signature for the session setup request, so the server 
sends back an error.

I can think of a couple fixes for this (if this is indeed what is 
occurring), neither of which are really all that great:

1) Don't reuse the SMB connection (i.e., do one-to-one with sessions and 
connections to the DC).  This would allow each incoming HTTP connection 
to set up a new connection with the DC, each of which would get a new 
challenge and set up signing fresh.  I think there's a config option for 
that; Mike might know off the top of his head.  I'd test this first, and 
see if it remediates the issue.

2) An ugly hack to do the initial session setup using an account with 
known credentials (i.e., authenticate with a dummy account to set up 
signing over the connection, then reuse the connection for real 
authentications later).  This is really kludgy though.

If you've got a packet capture, it would be helpful to verify this is 
what's happening.

Eric

More information about the jcifs mailing list