[jcifs] NTLM Authentication and multiple domains
Eric
eglass1 at comcast.net
Fri Apr 23 01:16:23 GMT 2004
O'Rourke, James wrote:
> So given this case, it implies that an application with access to NetLogon
> RPC such as IIS in this case is able to defer resolving the domain until
> message 3, however using jCIFs as it currently stands, is not able to do
> this.
>
Kind of. The authentication domain is known with the type 3; I don't
think the server will actually "resolve" it though. The server is
joined to a domain, and receives an account on the domain controller;
this is the account that is used to set up the NetLogon pipe. So the
server effectively talks to a single domain controller, regardless of
what domain the user specifies; the domain controller uses trust
relationships to talk to other domains. I'm fuzzy on how this last bit
works myself.
> Is it the case that in this current jCIFs scenario that the SMB server which
> provides the challenge in Type2, once it receives the Type3 response from
> the client, then in fact takes this response (Type3) + the challenge it
> provided and forwards it to the appropriate domain controller based on the
> actual domain information for the account being authenticated as is
> encapsulated in the Type3 message or is this not necessary. Perhaps I'm way
> off target.
>
The response has to go to the server that generated the challenge. So
whatever server generated the challenge in the type 2 message has to get
the responses from the type 3 (even if the type 3 indicates a different
authentication domain). In the NetLogon scenario you could have the
server send the challenge and response to an arbitrary/appropriate
domain controller; however, the server would need to have a machine
account established in each domain (i.e. it would need to "join"
multiple domains).
> Finally, when a domain controller (say DC1) receives a Type3 message to
> authenticate joeuser say, but joeuser has only an account on another domain
> (with say DC2), which DC1 has a trust relationship with, then will this
> request be authenticated nonetheless?
>
Yes; that's what the trust is for.
Eric
More information about the jcifs
mailing list