[jcifs] NTLM HTTP Authentication and SMB Signing

Michael B Allen mba2000 at ioplex.com
Wed Apr 7 21:24:02 GMT 2004

Eric said:
> The first user completes the NTLM handshake on the back end and gets
> authenticated.  The server initiates signing with the session setup
> response.  We don't verify the signature from the server (since we don't
> really care, and we don't have the MAC key to actually verify it
> anyways).  The user is authenticated and goes on his merry way.
> Now user number 2 comes along.  We have the challenge from the negotiate
> response already, so we send that in the Type 2.  The user sends the
> Type 3, and we try to do a session setup over the existing connection.
> However, signing has been setup on that connection already, using the
> first user's credentials.  We don't have the means to successfully
> calculate the signature for the session setup request, so the server
> sends back an error.

Signing subsequent SessionSetup requests makes sense but I thought the
Filter worked with servers that required signatures? Can anyone confirm?

> I can think of a couple fixes for this (if this is indeed what is
> occurring), neither of which are really all that great:
> 1) Don't reuse the SMB connection (i.e., do one-to-one with sessions and
> connections to the DC).  This would allow each incoming HTTP connection
> to set up a new connection with the DC, each of which would get a new
> challenge and set up signing fresh.  I think there's a config option for
> that; Mike might know off the top of his head.  I'd test this first, and
> see if it remediates the issue.

It's currently not an option but it's on the list for the next release.
I'll look at that next.

> 2) An ugly hack to do the initial session setup using an account with
> known credentials (i.e., authenticate with a dummy account to set up
> signing over the connection, then reuse the connection for real
> authentications later).  This is really kludgy though.

It's kludgy but it doesn't require any core changes. It could be confined
entirely to the filter.

> If you've got a packet capture, it would be helpful to verify this is
> what's happening.

Definitely should look at a capture [1] of this. But we should be able to
reproduce the behavior by simply pointing
jcifs.smb.client.domainController at a machine that supports signing and
use jcifs.smb.client.signingPreferred = true.


[1] http://jcifs.samba.org/capture.html

More information about the jcifs mailing list