[jcifs] apologies

O'Rourke, James jorourke at rsasecurity.com
Tue Dec 7 17:42:29 GMT 2004

Damn outlook.
Apologies for the last email - ctrl-enter = send. 
Try again.
We are using jcifs to act essentially as a proxy, and I wanted to post a
Briefly, this is what we do
IE/Browser           Our Authorization Server                Domain
     |           type1                 |
     |  -------------------------------> |
     |                                    | SmbSession.getChallenge(dc)
     |           type2                 |
-------------------------------------->   |
     |  <------------------------------  |
     |                                    |
     |          type3 (response)  |
     |  ------------------------------>  |
     |                                    |
     |                                    |  SMBSession.logon(pwdAuth)
     |                                    |
---------------------------------------->  |
     |      Authorized              |
     |  <------------------------------- |
     |                                    |
Essentially, we use jcifs in the Authorization server to extract
messages from the client, and then make requests to the domain
controller. We get a problem when the user (in say IE) enters the domain
name in lowercase. What is happening is that IE/browser is computing the
hash (NTLMv2/LMv2) using amongst other things, this domain string. Then,
on the server, when we call SMBSession.logon(), deep down in jcifs in
the call:
we see the code:
    accountName = auth.username.toUpperCase();
    primaryDomain = auth.domain.toUpperCase();
which is resulting in a situation where when the domain controller
receives the authentication request, it results in a mismatch of the
credentials as domain controller attempts to compute the hash based on
uppercase domain. (incidentally, when we remove .toUpperCase() our
problem goes away as expected).
It is possible that this is your desire, and that we are misusing the
library by acting as a proxy rather than as a client or server, however,
I thought it strange then not to let the caller decide whether to make
the domain all uppercase or not, but instead place this code in lower
level code.


-------------- next part --------------
HTML attachment scrubbed and removed

More information about the jcifs mailing list