[jcifs] Cancel NTLM-Authentication Serverside

Michael B Allen mba2000 at ioplex.com
Fri Dec 17 09:19:05 GMT 2004

On Fri, 17 Dec 2004 09:54:19 +0100
Ingo Rockel <irockel at pironet-ndh.com> wrote:

> Hi all!
> maybe someone has an idea concerning this. We have an application 
> running in an OracleAS application server, jcifs is configured as sso in 
> a filter. There also is a form-based login configured using a security 
> constraint in the application server. So if a client logs in, the 
> jcifs-ntlm-sso is called requesting ntlm-credentials, checking againt a
> DC.
> Now the customer wants the login process to present the form based login 
> to be shown if the sso against the dc fails because the client is 
> unkown. First try was just to ignore the ntlm-login-fail and present the 
> form based login. But problem is in this case IE thinks NTLM-auth was 
> successfull and uses the NTLM header for all its requests. And the IE 
> seems to have a special behavior concerning post-requests (like a form 
> based login), it tries to reauthenticate the post request without 
> sending the post data, unfortuneately the app server has the mentioned 
> security constraint on this url and so again shows the form based login 
> and the client is trapped.
> Any idea how to tell the IE silently to stop trying to send NTLM-creds 
> after first try failed.

Someone once claimed to have had some success with sending back some kind
of error that trick IE into thinking the session should be invalidated. I
don't think it was 403 as that will cause the Network Password Dialog
to pop up. Try googling for Eric Glass messages about this.

Or maybe someone else on the list has done this?


Greedo shoots first? Not in my Star Wars.

More information about the jcifs mailing list