[jcifs] ntlmv2

Michael B Allen mba2000 at ioplex.com
Thu Dec 2 03:06:37 GMT 2004 

On Wed, 1 Dec 2004 17:18:47 -0800
"O'Rourke, James" <jorourke at rsasecurity.com> wrote:

> I'm not sure what you mean by saying you do not support NTLMv2. I
> thought that's what the result was when making lmCompatitibility=5. 

No. The lmCompatibility levels are defined my MS. We do not support all
levels. In particular we do not support full NTLMv2. However if you choose
an NTLMv2 lmCompatibility level it may still work because we do support LMv2
which is accepted as a suitable alternative. To what extent I'm not certain
because another guy did all the serious NTLM work.

Google for "ntlm jcifs" for stuff posted by Eric like this:

  http://lists.samba.org/archive/jcifs/2003-September/002557.html

[Note I'm working on extended security right now]

> Essentially, we are acting as a proxy between the client and domain
> controller. 
> 
> The client makes a request, we get a challenge via
> SmbSession.getChallenge(dc), send that back as a type2 message
> (constructed using Type2Message ( type1, challenge, null );), and then
> get the Type3 response from the browser (IE), create a Type3 message via

Yeah, that's basically what the NTLM HTTP Filter does but we need extended
security to do NTLMv2 proper.

> What we are seeing is when lmCompatitibility=5, and security settings on
> the machine with IE is set to Send NTLMv2 Responses Only under LAN
> Manager Authentication Level (as well as for the domain controllers), we
> only succeed when we enter the domain name is uppercase on IE. We tried
> switching this in our code, but it did not work, and it would be problem
> as it is IE which is generating the Type3Message essentially. When
> lmCompatibility is <= 3, we can succeed with lowercase domain name. 

I don't understand. Are you saying you applied the toUpperCase() fix to
src/ntlmssp/Type3Message.java and it still didn't work?

> I hope this doesn't seem terse, I just wanted to get the details down
> here. 

Unfortunately I don't know "the details". Even though Eric has run off he
documented his work fairly well [1]. You might review that. I've actually
been leaning toward skipping NTLM and focusing Kerberos instead to stay
ahead of the curve.

Mike

[1] http://davenport.sourceforge.net/ntlm.html

-- 
Greedo shoots first? Not in my Star Wars.

More information about the jcifs mailing list