[jcifs] Turn off NTLM authentication in IE after it has been set?

Chris_Conner at Dell.com Chris_Conner at Dell.com
Thu Jan 15 23:07:55 GMT 2004 

Thanks for your response.
I would like to be able to turn NTLM off on IE(no IE login prompt) so I can
log in via my product logon screen. Do you know if there is a way to reset
IE's WWW-Authenticate to not use NTLM any longer after it has been set? 


-Chris

-----Original Message-----
From: jcifs-bounces+chris_conner=dell.com at lists.samba.org
[mailto:jcifs-bounces+chris_conner=dell.com at lists.samba.org] On Behalf Of
Michael B Allen
Sent: Thursday, January 15, 2004 2:49 PM
To: Conner, Chris
Cc: jcifs at lists.samba.org
Subject: Re: [jcifs] Turn off NTLM authentication in IE after it has been
set?



>
> Need way to turn off NTLM in IE after it has been set?
>
>  After the Authorization header "WWW-Authenticate= NTLM" is sent to 
> the  client and the user is logged on via NTLM handshake, the user 
> then wants to log out and log in manually using a different 
> account.(non NTLM internal  authentication via a servlet would be 
> used)
>
> The problem is that I need a way to tell IE to not use NTLM 
> authentication  anymore. i.e. pass back something like "Authorization 
> header = none" to turn  off NTLM from the client side? Does anyone 
> know if this can be done?

NTLM HTTP auth is triggered entirely on the server side. Negotiation is
triggered by replying to a GET or POST request with an unauthorized error
code and
WWW-Authenticate: NTLM header. Now the part you are probably interested in
is the fact that if the negotiated credentials are rejected, IE will pop up
the Enter Network Password Dialog. So, if you want users to be able to
subvert the SSO mechanism so they can explicitly enter new credentials just
sent the unauthorized error and WWW-Authenticate: NTLM header the right
number of times to trigger that dialog to come up. The trick is you need to
do this without losing track of what your doing. I'm not certain how such a
thing would work. You could set the "NtlmHttpAuth" key in the HttpSession to
'null' as an indicator to the NtlmHttpFilter that this above described
re-negotiation should take place. Of course that would require changing the
Filter. I'm working on the Filter right now so maybe I'll explore this idea
a little later.

Mike


-- 
A program should be written to  model the concepts of the task it performs
rather than the physical world or a process because this maximizes the
potential for it  to be applied  to tasks that are conceptually similar and,
more  important, to tasks that have not yet been conceived.

More information about the jcifs mailing list