[jcifs] ntlmv2

[O'Rourke, James]

I'm not sure what you mean by saying you do not support NTLMv2. I
thought that's what the result was when making lmCompatitibility=5. 

Essentially, we are acting as a proxy between the client and domain
controller. 

The client makes a request, we get a challenge via
SmbSession.getChallenge(dc), send that back as a type2 message
(constructed using Type2Message ( type1, challenge, null );), and then
get the Type3 response from the browser (IE), create a Type3 message via
( Type3Message(src) - where src is the raw data from the browser).

We then create a object as such: NtlmPasswordAuthentication (
domainUppercase,
                    type3.getUser ( ), challenge, lmResponse, ntResponse
);


Then we call SmbSession.authenticate ( dc, ntlmPasswordAuth );

What we are seeing is when lmCompatitibility=5, and security settings on
the machine with IE is set to Send NTLMv2 Responses Only under LAN
Manager Authentication Level (as well as for the domain controllers), we
only succeed when we enter the domain name is uppercase on IE. We tried
switching this in our code, but it did not work, and it would be problem
as it is IE which is generating the Type3Message essentially. When
lmCompatibility is <= 3, we can succeed with lowercase domain name. 

Initially, I thought this was because NTLMv2 used the domain in the
response, and earlier versions do not. This is true, however, we do not
get this error when simply authenticating to a domain controller
normally and forcing NTLMv2. 

I hope this doesn't seem terse, I just wanted to get the details down
here. 

Thanks in advance.

James


-----Original Message-----
From: Michael B Allen [mailto:mba2000 at ioplex.com] 
Sent: Wednesday, December 01, 2004 10:54 AM
To: O'Rourke, James
Cc: jcifs at lists.samba.org
Subject: Re: [jcifs] ntlmv2


On Wed, 1 Dec 2004 10:43:24 -0800
"O'Rourke, James" <jorourke at rsasecurity.com> wrote:

> I'm am seeing an issue whereby when I force NTLMv2 on jcifs, domain 
> controllers and the client (IE), authentication fails when I try to 
> enter the domain name in lowercase. It succeeds when I enter it in 
> upper case. Essentially the configuration is as follows:
>  
> client connects via IE to our servers which essentially proxy the 
> NTLMv2 handshake for domain controllers. We talk to the domain 
> controllers through jcifs.
>  
> Any suggestions would be of help.

Oh, crud I forgot about this. Someone reported that the fix is to add
toUpperCase() in src/jcifs/ntlmssp/Type3Message.java:

--- src.0/jcifs/ntlmssp/Type3Message.java       Wed Dec  1 13:50:22 2004
+++ src/jcifs/ntlmssp/Type3Message.java Wed Dec  1 13:49:38 2004
@@ -325,7 +325,7 @@
             byte[] domain = null;
             if (domainName != null && domainName.length() != 0) {
                 domain = unicode ?
-                        domainName.getBytes("UnicodeLittleUnmarked") :
+                       
domainName.toUpperCase().getBytes("UnicodeLittleUnmarked") :
                                 domainName.toUpperCase().getBytes(oem);
             }
             int domainLength = (domain != null) ? domain.length : 0;

BTW: We do not support NTLMv2 but if you choose lmCompatibility of 3 it
will negotiate LMv2.

I'll wait a few days to make sure there are no suprises in the 1.1.3 fix
and do another release. Maybe you can patch a jar yourself for a while.

Mike

-- 
Greedo shoots first? Not in my Star Wars.