[jcifs] Turn off NTLM authentication in IE after it has been set?

Andrew Stevens andrew.stevens at gsjbw.com
Thu Jan 15 23:28:50 GMT 2004 

Chris,

Please excuse my rambling's if this is not relevant. It sounds like you are
trying to achieve similar functionality to what I have done.
We run Struts Web Apps in Tomcat, using the NtlmHttpFilter thingy.

A few key things here.
1. I never really turn off NTLM but it just appears that way to the end
user.
2. We have the web server URL in the 'Intranet Zone' in IE Options so user
is only prompted for a log in 0 to 1 times ever.
3. We have an init-param in web.xml called 'useNTLM' which we can set to
true/false.

If the init-param is set to false, we still present a HTML log in screen for
our existing Security Model.
The NTLM still authorises the user, but only on the first request (because
of point 2).

I haven't investigated further, but it may also be possible to
programatically disable the NtlmHttpFilter. 
There's probably classes available to change Web.xml settings on the fly
(?).

Or maybe you could re-compile the Filter, to accept a trigger (url param, or
system property etc) to tell it to not do NTLM filtering as required.

Oh boy, does this make any sense?

Cheers,
AS

	-----Original Message-----
	From:	Chris_Conner at Dell.com [SMTP:Chris_Conner at Dell.com]
	Sent:	Friday, 16 January 2004 10:08
	To:	mba2000 at ioplex.com
	Cc:	jcifs at lists.samba.org
	Subject:	RE: [jcifs] Turn off NTLM authentication in IE after
it has been set?

	Thanks for your response.
	I would like to be able to turn NTLM off on IE(no IE login prompt)
so I can
	log in via my product logon screen. Do you know if there is a way to
reset
	IE's WWW-Authenticate to not use NTLM any longer after it has been
set? 


	-Chris

	-----Original Message-----
	From: jcifs-bounces+chris_conner=dell.com at lists.samba.org
	[mailto:jcifs-bounces+chris_conner=dell.com at lists.samba.org] On
Behalf Of
	Michael B Allen
	Sent: Thursday, January 15, 2004 2:49 PM
	To: Conner, Chris
	Cc: jcifs at lists.samba.org
	Subject: Re: [jcifs] Turn off NTLM authentication in IE after it has
been
	set?



	>
	> Need way to turn off NTLM in IE after it has been set?
	>
	>  After the Authorization header "WWW-Authenticate= NTLM" is sent
to 
	> the  client and the user is logged on via NTLM handshake, the user

	> then wants to log out and log in manually using a different 
	> account.(non NTLM internal  authentication via a servlet would be 
	> used)
	>
	> The problem is that I need a way to tell IE to not use NTLM 
	> authentication  anymore. i.e. pass back something like
"Authorization 
	> header = none" to turn  off NTLM from the client side? Does anyone

	> know if this can be done?

	NTLM HTTP auth is triggered entirely on the server side. Negotiation
is
	triggered by replying to a GET or POST request with an unauthorized
error
	code and
	WWW-Authenticate: NTLM header. Now the part you are probably
interested in
	is the fact that if the negotiated credentials are rejected, IE will
pop up
	the Enter Network Password Dialog. So, if you want users to be able
to
	subvert the SSO mechanism so they can explicitly enter new
credentials just
	sent the unauthorized error and WWW-Authenticate: NTLM header the
right
	number of times to trigger that dialog to come up. The trick is you
need to
	do this without losing track of what your doing. I'm not certain how
such a
	thing would work. You could set the "NtlmHttpAuth" key in the
HttpSession to
	'null' as an indicator to the NtlmHttpFilter that this above
described
	re-negotiation should take place. Of course that would require
changing the
	Filter. I'm working on the Filter right now so maybe I'll explore
this idea
	a little later.

	Mike


	-- 
	A program should be written to  model the concepts of the task it
performs
	rather than the physical world or a process because this maximizes
the
	potential for it  to be applied  to tasks that are conceptually
similar and,
	more  important, to tasks that have not yet been conceived.


Goldman Sachs JBWere
Disclosure of Interest
ORG:  Goldman Sachs JBWere and/or its affiliates expect to receive or intend to seek compensation for financial and advisory services in the next 3 months from the company or its affiliates.



GOLDMAN SACHS JBWERE PTY LTD DISCLAIMER

Goldman Sachs JBWere Pty Ltd and its related entities distributing this document and each of their respective directors, officers and agents ("the Goldman Sachs JBWere Group") believe that the information contained in this document is correct and that any estimates, opinions, conclusions or recommendations contained in this document are reasonably held or made as at the time of compilation.  However, no warranty is made as to the accuracy or reliability of any estimates, opinions, conclusions, recommendations (which may change without notice) or other information contained in this document and, to the maximum extent permitted by law, the Goldman Sachs JBWere Group disclaims all liability and responsibility for any direct or indirect loss or damage which may be suffered by any recipient through relying on anything contained or omitted from this document.

Goldman Sachs JBWere does not represent or warrant the attached files are free from computer viruses or other defects.  The attached files are provided, and may only be used, on the basis that the user assumes all responsibility for any loss, damage or consequence resulting directly or indirectly from use.

More information about the jcifs mailing list