[jcifs] Re: Request: Jcifs + Win 2003 / Active Directory

[Michael B Allen]

Andrew Stevens said:
> I hope you don't mind that I've emailed you directly. Here's my problem...

Hi Andrew,

I work for a large financial as well so I know you have certain privacy
considerations but this *is* an Open Source project so we need to try to
keep this high level stuff on the mailing list.

> We have a nice implementation of jcifs NTLM HTTP (filter) authorisation
> working --> Tomcat on Linux / NT4 Servers for domains etc.
> To get the implementation approved, our Security Manager wants me to
> definitively state whether this will work with Win2000 and Win2003.
> Specifically to state whether this will work with Active Directory.
> He has a test environment running Win2003 & AD. I supplied a bundled
> Tomcat
> & JCIFS to try in that environment.
> Apparently it didn't work, but he couldn't provide much details as to why
> (maybe he doesn't want it to work. I'm not sure.)
>
> So, can you provide me with a summary of the state of Jcifs with Active
> Directory?

I don't think AD is involved at all. All JCIFS is doing is using NTLM
password hashes supplied by IE to authenticate users against IPC$ on the
domain controller (or an intermediate machine that will commuicate with
the domain controller such as the web server). But frankly I do not know a
lot about AD.

> Does this imply NTLMv2? I've read JCIFS may or may not work with NTLMv2.
> Do
> know much about the conditions which allow this to work or not?

JCIFS does NOT support NTLMv2. It does however support LMv2 which from a
security standpoint is claimed to be as good as NTLMv2. How that would
work in the recommended MS environment with AD I just don't know yet.

> Are there specific settings which I can change to make this work? Or is it
> a
> case of me needing to develop a custom NTLM HTTP filter based on the JCIFS
> packages?

The only practical way to determine what would be necessary for it to work
in the said environment is to try it.

Mike