[jcifs] HTTP Authentication Methods

Michael B Allen mba2000 at ioplex.com
Sun Dec 5 23:08:17 GMT 2004


[Sending this to the list as it's good general purpose information]

Christopher R. Hertel said:
> One more question...
>
> I've already asked whether it's possible to do NTLMSSP over HTTP over SSL.
>
> I'm also curious about whether it's the client or the web server that
> determines which type of HTTP authentication (basic, etc.) is to be used.
> I assume, in this case, that it's the server.  Is it?

The mechanism for Basic and NTLM over HTTP is the same. Basic is like this:

C: GET
S: 401 Unauthorized
   WWW-Authenticate: Basic
C: GET
   WWW-Authenticate: Basic <creds>
S: 200 Success

With NTLM over HTTP it's:

C: GET
S: 401 Unauthorized
   WWW-Authenticate: NTLM
C: GET
   WWW-Authenticate: NTLM <ntlmssp type-1-message>
<web server get's challenge from DC>
S: 401 Unauthorized
   WWW-Authenticate: NTLM <ntlmssp type-2-message>
<client computes ntlm hashes with challenge>
C: GET
   WWW-Authenticate: NTLM <ntlmssp type-3-message>
S: 200 Success

[although POST vs GET is a little different]

Then you have SPNEGO over HTTP which is ver much like NTLM but it's
"WWW-Authenticate: Negotiate" and the messages are not ntlmssp messages,
they are the "blobs" (e.g. GSS-API kerberos).

If the server supports multiple mechs it's:

C: GET
S: 401 Unauthorized
   WWW-Authenticate: Basic
   WWW-Authenticate: NTLM
   WWW-Authenticate: Negotiate
...

So to answer your question, the server presents the supported
authentication mechs and the client picks. Conceptually this is just like
SASL which is just like SPNEGO / GSS-API which is just like .... same
thing reinvented over and over so people upgrade and buy new servers ;->

Mike


More information about the jcifs mailing list