[jcifs] HTTP Authentication Methods
Michael B Allen
mba2000 at ioplex.com
Sun Dec 5 23:08:17 GMT 2004
[Sending this to the list as it's good general purpose information]
Christopher R. Hertel said:
> One more question...
>
> I've already asked whether it's possible to do NTLMSSP over HTTP over SSL.
>
> I'm also curious about whether it's the client or the web server that
> determines which type of HTTP authentication (basic, etc.) is to be used.
> I assume, in this case, that it's the server. Is it?
The mechanism for Basic and NTLM over HTTP is the same. Basic is like this:
C: GET
S: 401 Unauthorized
WWW-Authenticate: Basic
C: GET
WWW-Authenticate: Basic <creds>
S: 200 Success
With NTLM over HTTP it's:
C: GET
S: 401 Unauthorized
WWW-Authenticate: NTLM
C: GET
WWW-Authenticate: NTLM <ntlmssp type-1-message>
<web server get's challenge from DC>
S: 401 Unauthorized
WWW-Authenticate: NTLM <ntlmssp type-2-message>
<client computes ntlm hashes with challenge>
C: GET
WWW-Authenticate: NTLM <ntlmssp type-3-message>
S: 200 Success
[although POST vs GET is a little different]
Then you have SPNEGO over HTTP which is ver much like NTLM but it's
"WWW-Authenticate: Negotiate" and the messages are not ntlmssp messages,
they are the "blobs" (e.g. GSS-API kerberos).
If the server supports multiple mechs it's:
C: GET
S: 401 Unauthorized
WWW-Authenticate: Basic
WWW-Authenticate: NTLM
WWW-Authenticate: Negotiate
...
So to answer your question, the server presents the supported
authentication mechs and the client picks. Conceptually this is just like
SASL which is just like SPNEGO / GSS-API which is just like .... same
thing reinvented over and over so people upgrade and buy new servers ;->
Mike
More information about the jcifs
mailing list