[jcifs] NtlmHttpFilter - authentication
Eric
eglass1 at comcast.net
Thu Mar 4 00:19:00 GMT 2004
Michael B Allen wrote:
> eglass1 at comcast.net said:
>
>>>There is a looming problem however. This technique does not work in a
>>>pure
>>>AD environment.
>>>
>>
>>Which part causes issues?
>
>
> I thought we had some people with AD issues? Since we never quite resolved
> them I assumed there was an issue with those environments because we do
> IPC$ on port 139. Glad to hear that may not be true.
>
There probably would be issues -- I just wasn't clear on which part
specifically. I think you're correct; in a pure AD environment you
would typically just do "raw" SMB over TCP on port 445 (which we
currently don't support). I suppose you could maybe install NetBIOS on
a single server and use that as the "domain controller" for the filter;
not entirely sure if that would work or not, but it would make for an
interesting experiment. If support for port 445 is implemented in jCIFS
that should work as well.
In a pure active directory environment, extended security is typically
used to negotiate Kerberos authentication via SPNEGO. There isn't any
requirement for this, however; you can always negotiate NTLM over
SPNEGO, or just use raw NTLM. I believe NTLM is always available, as
it's needed for member-member and inter-forest authentication.
Eric
More information about the jcifs
mailing list