[jcifs] Cancel NTLM-Authentication Serverside
Ingo Rockel
irockel at pironet-ndh.com
Fri Dec 17 09:54:53 GMT 2004
Hi Mike,
are you sure about the mentioned name? I googled for the name and only
found three postings, one in a thread about NTLM but concerning man in
the middle attacks with NTLM based auth. Haven't found anything googling
for the issue so far...
Thanx,
Ingo
Michael B Allen schrieb:
> On Fri, 17 Dec 2004 09:54:19 +0100
> Ingo Rockel <irockel at pironet-ndh.com> wrote:
>
>
>>Hi all!
>>
>>maybe someone has an idea concerning this. We have an application
>>running in an OracleAS application server, jcifs is configured as sso in
>>a filter. There also is a form-based login configured using a security
>>constraint in the application server. So if a client logs in, the
>>jcifs-ntlm-sso is called requesting ntlm-credentials, checking againt a
>>DC.
>>
>>Now the customer wants the login process to present the form based login
>>to be shown if the sso against the dc fails because the client is
>>unkown. First try was just to ignore the ntlm-login-fail and present the
>>form based login. But problem is in this case IE thinks NTLM-auth was
>>successfull and uses the NTLM header for all its requests. And the IE
>>seems to have a special behavior concerning post-requests (like a form
>>based login), it tries to reauthenticate the post request without
>>sending the post data, unfortuneately the app server has the mentioned
>>security constraint on this url and so again shows the form based login
>>and the client is trapped.
>>
>>Any idea how to tell the IE silently to stop trying to send NTLM-creds
>>after first try failed.
>
>
> Someone once claimed to have had some success with sending back some kind
> of error that trick IE into thinking the session should be invalidated. I
> don't think it was 403 as that will cause the Network Password Dialog
> to pop up. Try googling for Eric Glass messages about this.
>
> Or maybe someone else on the list has done this?
>
> Mike
>
--
PIRONET NDH AG
Ingo Rockel - Produktentwicklung
Maarweg 149-161, 50825 Koeln
Tel.: +49 (0)221-770-1788 / Fax: +49 (0)221-770-1005
mailto:irockel at pironet-ndh.com - http://www.pironet-ndh.com
More information about the jcifs
mailing list