[jcifs] Authentication across multiple PDCs

Michael B Allen mba2000 at ioplex.com
Thu Oct 14 18:46:02 GMT 2004

On Thu, 14 Oct 2004 18:11:47 +0000 (UTC)
Jon Erdman <jon.erdman at solers.com> wrote:

> I have a requirement to support single sign-on across mutliple PDCs.  The 
> basic idea is that when I get the Type 1 message I pull out the domain, 

There domain field in the type 1 message is the workstation domain not the
user domain.

> compare it to a map of domain name/domain controller pairs, and proceed
> with authentication.  I am testing this from Windows XP and 2000 boxes
> connecting to my webapp using IE 6.0. The webapp then performs the
> authentication.

Well if jcifs.smb.client.domain has a trust relationship with the other
domains against which you wish to authenticate clients then the filter
should work out of the box. If there are no such trust relationships
then yes you can pretty easily hack the filter to lookup the domain in
a map of workstation domains from the type 1 message.

> I have this working for the most part, but the domain in the Type 1
> message is optional.  In some cases the browser is not sending the domain.
>  Is there any 
> way to form an additional request for this information?  If not, does
> anyone 

Yes, if the client does not send useful information you can do a Node
Status on it's IP with jcifs.netbios.NbtAddress.getAllByAddress and look
for the 0x00 group name [1].

> know of browser or machine settings that would cause the domain not to be
> sent?

Windows 95/98/ME maybe? Mozilla? Opera? Donno.


[1] I think that's it, look here:

Greedo shoots first? Not in my Star Wars.

More information about the jcifs mailing list