[jcifs] NTLM HTTP Authentication and SMB Signing
Michael B Allen
mba2000 at ioplex.com
Wed Apr 7 21:24:02 GMT 2004
Eric said:
> The first user completes the NTLM handshake on the back end and gets
> authenticated. The server initiates signing with the session setup
> response. We don't verify the signature from the server (since we don't
> really care, and we don't have the MAC key to actually verify it
> anyways). The user is authenticated and goes on his merry way.
>
> Now user number 2 comes along. We have the challenge from the negotiate
> response already, so we send that in the Type 2. The user sends the
> Type 3, and we try to do a session setup over the existing connection.
> However, signing has been setup on that connection already, using the
> first user's credentials. We don't have the means to successfully
> calculate the signature for the session setup request, so the server
> sends back an error.
Signing subsequent SessionSetup requests makes sense but I thought the
Filter worked with servers that required signatures? Can anyone confirm?
> I can think of a couple fixes for this (if this is indeed what is
> occurring), neither of which are really all that great:
>
> 1) Don't reuse the SMB connection (i.e., do one-to-one with sessions and
> connections to the DC). This would allow each incoming HTTP connection
> to set up a new connection with the DC, each of which would get a new
> challenge and set up signing fresh. I think there's a config option for
> that; Mike might know off the top of his head. I'd test this first, and
> see if it remediates the issue.
It's currently not an option but it's on the list for the next release.
I'll look at that next.
> 2) An ugly hack to do the initial session setup using an account with
> known credentials (i.e., authenticate with a dummy account to set up
> signing over the connection, then reuse the connection for real
> authentications later). This is really kludgy though.
It's kludgy but it doesn't require any core changes. It could be confined
entirely to the filter.
> If you've got a packet capture, it would be helpful to verify this is
> what's happening.
Definitely should look at a capture [1] of this. But we should be able to
reproduce the behavior by simply pointing
jcifs.smb.client.domainController at a machine that supports signing and
use jcifs.smb.client.signingPreferred = true.
Mike
[1] http://jcifs.samba.org/capture.html
More information about the jcifs
mailing list