[jcifs] Turn off NTLM authentication in IE after it has been set?
andrew.stevens at gsjbw.com
Thu Jan 15 23:28:50 GMT 2004
Please excuse my rambling's if this is not relevant. It sounds like you are
trying to achieve similar functionality to what I have done.
We run Struts Web Apps in Tomcat, using the NtlmHttpFilter thingy.
A few key things here.
1. I never really turn off NTLM but it just appears that way to the end
2. We have the web server URL in the 'Intranet Zone' in IE Options so user
is only prompted for a log in 0 to 1 times ever.
3. We have an init-param in web.xml called 'useNTLM' which we can set to
If the init-param is set to false, we still present a HTML log in screen for
our existing Security Model.
The NTLM still authorises the user, but only on the first request (because
of point 2).
I haven't investigated further, but it may also be possible to
programatically disable the NtlmHttpFilter.
There's probably classes available to change Web.xml settings on the fly
Or maybe you could re-compile the Filter, to accept a trigger (url param, or
system property etc) to tell it to not do NTLM filtering as required.
Oh boy, does this make any sense?
From: Chris_Conner at Dell.com [SMTP:Chris_Conner at Dell.com]
Sent: Friday, 16 January 2004 10:08
To: mba2000 at ioplex.com
Cc: jcifs at lists.samba.org
Subject: RE: [jcifs] Turn off NTLM authentication in IE after
it has been set?
Thanks for your response.
I would like to be able to turn NTLM off on IE(no IE login prompt)
so I can
log in via my product logon screen. Do you know if there is a way to
IE's WWW-Authenticate to not use NTLM any longer after it has been
From: jcifs-bounces+chris_conner=dell.com at lists.samba.org
[mailto:jcifs-bounces+chris_conner=dell.com at lists.samba.org] On
Michael B Allen
Sent: Thursday, January 15, 2004 2:49 PM
To: Conner, Chris
Cc: jcifs at lists.samba.org
Subject: Re: [jcifs] Turn off NTLM authentication in IE after it has
> Need way to turn off NTLM in IE after it has been set?
> After the Authorization header "WWW-Authenticate= NTLM" is sent
> the client and the user is logged on via NTLM handshake, the user
> then wants to log out and log in manually using a different
> account.(non NTLM internal authentication via a servlet would be
> The problem is that I need a way to tell IE to not use NTLM
> authentication anymore. i.e. pass back something like
> header = none" to turn off NTLM from the client side? Does anyone
> know if this can be done?
NTLM HTTP auth is triggered entirely on the server side. Negotiation
triggered by replying to a GET or POST request with an unauthorized
WWW-Authenticate: NTLM header. Now the part you are probably
is the fact that if the negotiated credentials are rejected, IE will
the Enter Network Password Dialog. So, if you want users to be able
subvert the SSO mechanism so they can explicitly enter new
sent the unauthorized error and WWW-Authenticate: NTLM header the
number of times to trigger that dialog to come up. The trick is you
do this without losing track of what your doing. I'm not certain how
thing would work. You could set the "NtlmHttpAuth" key in the
'null' as an indicator to the NtlmHttpFilter that this above
re-negotiation should take place. Of course that would require
Filter. I'm working on the Filter right now so maybe I'll explore
a little later.
A program should be written to model the concepts of the task it
rather than the physical world or a process because this maximizes
potential for it to be applied to tasks that are conceptually
more important, to tasks that have not yet been conceived.
Goldman Sachs JBWere
Disclosure of Interest
ORG: Goldman Sachs JBWere and/or its affiliates expect to receive or intend to seek compensation for financial and advisory services in the next 3 months from the company or its affiliates.
GOLDMAN SACHS JBWERE PTY LTD DISCLAIMER
Goldman Sachs JBWere Pty Ltd and its related entities distributing this document and each of their respective directors, officers and agents ("the Goldman Sachs JBWere Group") believe that the information contained in this document is correct and that any estimates, opinions, conclusions or recommendations contained in this document are reasonably held or made as at the time of compilation. However, no warranty is made as to the accuracy or reliability of any estimates, opinions, conclusions, recommendations (which may change without notice) or other information contained in this document and, to the maximum extent permitted by law, the Goldman Sachs JBWere Group disclaims all liability and responsibility for any direct or indirect loss or damage which may be suffered by any recipient through relying on anything contained or omitted from this document.
Goldman Sachs JBWere does not represent or warrant the attached files are free from computer viruses or other defects. The attached files are provided, and may only be used, on the basis that the user assumes all responsibility for any loss, damage or consequence resulting directly or indirectly from use.
More information about the jcifs