[jcifs] Turn off NTLM authentication in IE after it has been set?

Michael B Allen mba2000 at ioplex.com
Thu Jan 15 20:48:40 GMT 2004

> Need way to turn off NTLM in IE after it has been set?
>  After the Authorization header "WWW-Authenticate= NTLM" is sent to the
>  client and the user is logged on via NTLM handshake, the user then wants
> to log out and log in manually using a different account.(non NTLM internal
>  authentication via a servlet would be used)
> The problem is that I need a way to tell IE to not use NTLM authentication
>  anymore. i.e. pass back something like "Authorization header = none" to
> turn
>  off NTLM from the client side? Does anyone know if this can be done?

NTLM HTTP auth is triggered entirely on the server side. Negotiation is triggered
by replying to a GET or POST request with an unauthorized error code and
WWW-Authenticate: NTLM header. Now the part you are probably interested in is the
fact that if the negotiated credentials are rejected, IE will pop up the Enter
Network Password Dialog. So, if you want users to be able to subvert the SSO
mechanism so they can explicitly enter new credentials just sent the unauthorized
error and WWW-Authenticate: NTLM header the right number of times to trigger that
dialog to come up. The trick is you need to do this without losing track of what
your doing. I'm not certain how such a thing would work. You could set the
"NtlmHttpAuth" key in the HttpSession to 'null' as an indicator to the
NtlmHttpFilter that this above described re-negotiation should take place. Of
course that would require changing the Filter. I'm working on the Filter right now
so maybe I'll explore this idea a little later.


A program should be written to  model the concepts of the task it
performs rather than the physical world or a process because this
maximizes the  potential for it  to be applied  to tasks that are
conceptually similar and, more  important, to tasks that have not
yet been conceived.

More information about the jcifs mailing list