[jcifs] NtlmHttpFilter - authentication

Eric eglass1 at comcast.net
Fri Mar 5 01:09:36 GMT 2004

> Would it be cleaner to just implement the extended security negotiation?
> We don't have to do Kerberos. Right?

Right.  Raw NTLM would be fine (i.e., it would just pass the type 1 etc. 
messages, same as the filter).  Really, extended security is just like 
SSPI; opaque tokens are passed back and forth until a status code 
indicates the process is completed.  Underlying providers interpret the 
tokens.  The easiest would probably be the raw NTLM; then SPNEGO with 
NTLM (basically a SPNEGO wrapper which only indicates support for NTLM); 
then SPNEGO with kerberos.  Extended security requires NT status codes, 
but I believe you were close to having that implemented anyways.

> I have NT4. But none of the servers are configured to perform extended
> security. I have a Win2000 machine next to me but I tried to change the
> registry setting on it for signing once to no effect. I may not have the
> proper rights on it. I have both NT4 and Win2000 at home though. Maybe I
> can get it to work there (for a rainy day though).

Just the client would be fine; I'd just like to see what a non-extended 
security negotiation looks like with LmCompatibility set to 3.  If 
you've got an NT4 workstation, setting that and accessing any share 
should work.  I'm interested to see how they construct the target 
information block in the NTLMv2 response.


More information about the jcifs mailing list