[jcifs] NtlmHttpFilter - authentication

Chris_Conner at Dell.com Chris_Conner at Dell.com
Wed Mar 3 15:03:17 GMT 2004 

What do you mean exactly by the statement below? We are running on a AD
network.(domain controllers - win2k/win2k3)
Since we are using AD does this mean that the NtlmHttpFilter will not
work?

Basicly is what I need to do is after the user is authenticated via NTLM
I need to query active directory(AD) for the privileges that the user
has for our application. In the case of single-sign-on IE only passes a
password hash.(no cleartext password) I cannot figure out how to
bind(ldap or ADSI) to AD without a user's cleartext password.

Does anyone have any suggestions on how to accomplish this task?

Chris

> There is a looming problem however. This technique does not work in a
> pure AD environment.


-----Original Message-----
From: Michael B Allen [mailto:mba2000 at ioplex.com] 
Sent: Tuesday, March 02, 2004 9:29 PM
To: Conner, Chris
Cc: jcifs at lists.samba.org
Subject: Re: [jcifs] NtlmHttpFilter - authentication


Chris_Conner at Dell.com said:
>
> Can someone tell me how the NtlmHttpFilter authenticates the user to 
> the domain controller?
>
> My understanding is that IE only passes the username, password hash 
> and domain to the server. How does jcifs authenticate to the domain 
> controller with out having a cleartext password?

When jCIFS authenticates a user using a cleartext password it performs
the NTLM pasword hash operations and submits those to the target using
an SmbComSessionSetupAndX operation. The password hash provided by IE
will be identical given the same password and server challenge. So jCIFS
just acts as a man-in-the-middle passing the server challenge to the
client and submitting the resulting password hashes. Because the client
doesn't specify a target object on the server we just use IPC$. Ideally
we should really do what a workstation would do which would be to "join
the domain" and perform the NETLOGON RPC. Currently we do not do this
because we do not support RPC (yet) but the effect is the same.

There is a looming problem however. This technique does not work in a
pure AD environment.

> Is jcifs opening up a socket to the domain controller and passing in 
> these credentials

Yes.

> or calling a microsoft API???

No.

>
> Are there any microsoft API's that can be called to authenticate with 
> a password hash?

Yes. I've never looked to see the API specifically but I can almost
guarantee you such a thing exists. See msdn.ms.com.

Mike

More information about the jcifs mailing list