[jcifs] NTLM HTTP authentication with multiple domains
Eric
eglass1 at comcast.net
Fri Mar 12 00:23:24 GMT 2004
> No. That document is not very good. The type-1-message has the NetBIOS
> *workgroup* which is frequently different from the NT domain.
>
It's actually the primary domain for the client workstation (from what
I've observed); it's used for local authentication. The client says,
"here's my workstation name and domain". The server looks at that and
sets the local auth flag if it matches it's own name and domain. If so,
the client sends an empty type 3 message and completes the handshake
internally (within the NTLM SSPI provider).
It's only sent when "automatic" authentication is enabled (i.e., "log on
using current username and password" from IE options), as local
authentication can only employ the active credentials from the desktop
session. It's also not sent by Win9x clients. And also, when it is
sent, it's the primary domain for the client and not necessarily the
domain in which the user's account resides.
Eric
More information about the jcifs
mailing list