[jcifs] NtlmHttpFilter - authentication

Michael B Allen mba2000 at ioplex.com
Wed Mar 3 03:28:31 GMT 2004

Chris_Conner at Dell.com said:
> Can someone tell me how the NtlmHttpFilter authenticates the user to the
> domain controller?
> My understanding is that IE only passes the username, password hash and
> domain to the server. How does jcifs authenticate to the domain
> controller with out having a cleartext password?

When jCIFS authenticates a user using a cleartext password it performs the
NTLM pasword hash operations and submits those to the target using an
SmbComSessionSetupAndX operation. The password hash provided by IE will be
identical given the same password and server challenge. So jCIFS just acts
as a man-in-the-middle passing the server challenge to the client and
submitting the resulting password hashes. Because the client doesn't
specify a target object on the server we just use IPC$. Ideally we should
really do what a workstation would do which would be to "join the domain"
and perform the NETLOGON RPC. Currently we do not do this because we do
not support RPC (yet) but the effect is the same.

There is a looming problem however. This technique does not work in a pure
AD environment.

> Is jcifs opening up a socket to the domain controller and passing in
> these credentials


> or calling a microsoft API???


> Are there any microsoft API's that can be called to authenticate with a
> password hash?

Yes. I've never looked to see the API specifically but I can almost
guarantee you such a thing exists. See msdn.ms.com.


More information about the jcifs mailing list