[jcifs] apologies
O'Rourke, James
jorourke at rsasecurity.com
Tue Dec 7 17:42:29 GMT 2004
Damn outlook.
Apologies for the last email - ctrl-enter = send.
Try again.
Hi,
We are using jcifs to act essentially as a proxy, and I wanted to post a
question/suggestion.
Briefly, this is what we do
IE/Browser Our Authorization Server Domain
Controller
| type1 |
|
| -------------------------------> |
|
| | SmbSession.getChallenge(dc)
|
| type2 |
--------------------------------------> |
| <------------------------------ |
|
| |
|
| type3 (response) |
|
| ------------------------------> |
|
| |
|
| | SMBSession.logon(pwdAuth)
|
| |
----------------------------------------> |
| Authorized |
|
| <------------------------------- |
|
| |
|
Essentially, we use jcifs in the Authorization server to extract
messages from the client, and then make requests to the domain
controller. We get a problem when the user (in say IE) enters the domain
name in lowercase. What is happening is that IE/browser is computing the
hash (NTLMv2/LMv2) using amongst other things, this domain string. Then,
on the server, when we call SMBSession.logon(), deep down in jcifs in
the call:
SmbComSessionSetupAndX.writeBytesWireFormat()
we see the code:
accountName = auth.username.toUpperCase();
primaryDomain = auth.domain.toUpperCase();
which is resulting in a situation where when the domain controller
receives the authentication request, it results in a mismatch of the
credentials as domain controller attempts to compute the hash based on
uppercase domain. (incidentally, when we remove .toUpperCase() our
problem goes away as expected).
It is possible that this is your desire, and that we are misusing the
library by acting as a proxy rather than as a client or server, however,
I thought it strange then not to let the caller decide whether to make
the domain all uppercase or not, but instead place this code in lower
level code.
Thanks
James
-------------- next part --------------
HTML attachment scrubbed and removed
More information about the jcifs
mailing list