[jcifs] NtlmHttpFilter - authentication

[Eric]

Michael B Allen wrote:
> eglass1 at comcast.net said:
> 
>>>There is a looming problem however. This technique does not work in a
>>>pure
>>>AD environment.
>>>
>>
>>Which part causes issues?
> 
> 
> I thought we had some people with AD issues? Since we never quite resolved
> them I assumed there was an issue with those environments because we do
> IPC$ on port 139. Glad to hear that may not be true.
> 

There probably would be issues -- I just wasn't clear on which part 
specifically.  I think you're correct; in a pure AD environment you 
would typically just do "raw" SMB over TCP on port 445 (which we 
currently don't support).  I suppose you could maybe install NetBIOS on 
a single server and use that as the "domain controller" for the filter; 
not entirely sure if that would work or not, but it would make for an 
interesting experiment.  If support for port 445 is implemented in jCIFS 
that should work as well.

In a pure active directory environment, extended security is typically 
used to negotiate Kerberos authentication via SPNEGO.  There isn't any 
requirement for this, however; you can always negotiate NTLM over 
SPNEGO, or just use raw NTLM.  I believe NTLM is always available, as 
it's needed for member-member and inter-forest authentication.

Eric