[jcifs] NTLM Authentication and multiple domains
Michael B Allen
mba2000 at ioplex.com
Thu Apr 22 21:35:50 GMT 2004
eglass1 at comcast.net said:
> Long term (once NetLogon RPC support is available), the intent is for
> Davenport to use a "hybrid" model:
>
> 1) client sends type 1 message to HTTP server
>
> 2) server connects via SMB to any backend SMB server. SMB server gives
> us a
> challenge
>
> 3) server sends type 2 message to client, containing challenge from SMB
> server
>
> 4) client sends type 3 message to server, containing response to
> challenge
>
> 5) server sends both the challenge and the response to a domain
> controller,
> over the encrypted NetLogon RPC pipe.
>
> 6) server responds with result of authentication and session key
>
> 7) server completes handshake with SMB server by passing on the
> response from the client
>
>
> So we still use the "man-in-the-middle" approach to overcome the
> double-hop
> issue; but we also authenticate using NetLogon to get the session key, so
> we can sign SMB messages to the SMB server. That's the theory anyway.
Good scheme. Sounds like it should work.
Mike
More information about the jcifs
mailing list