[jcifs] NTLMv2 issues

Tapperson Kevin Kevin.Tapperson at hcahealthcare.com
Mon Mar 28 13:26:29 GMT 2005 

Has anyone had any issues with using jcifs with the lmCompatibility property
set to 3 or higher?  We have experienced some issues with it and I thought
I'd ask the group.  (We are using the jcifs http filter for automatic login
to our corporate intranet.)

If we run jcifs with lmCompatibility set to 0, 1 or 2 we cannot properly
authenticate ANY users who have their windows lmcompatibilitylevel registry
setting at 3 or higher.  This is expected as those users would be using LMv2
and NTLMv2 exclusively.

If we run jcifs with lmCompatibility set to 3 or higher, it appears to work
fine for MOST users.  It continues to work fine for MOST users who were
previously able to authenticate when jcifs lmCompatibility was set to 0.
The users with their windows lmcompatibilitylevel registry setting at 3 or
higher now authenticate properly.  However, we have a select small group of
users, who had been able to properly authenticate when jcifs lmCompatibility
was set to 0, but can no longer authenticate properly.  The strange thing
about it is that this issue appears to be related to the user account and
not to the machine that the user is authenticating from.  The same user will
be unable to authenticate regardless of which machine they login to.

I understand that when a client uses LMv2/NTLMv2 and the jcifs
lmCompatibility property is set to 3 or higher, jcifs only forwards the LMv2
portion of the client response.  This is fine.  However, I suspect that if a
client uses LM/NTLM (v1) (windows registry set to 0, 1 or 2) and the jcifs
lmCompatibility property is set to 3 or higher, jcifs will still only
forward the LM portion of the client response (even though it has a valid
NTLM response and could forward that).  Can anyone confirm this?  I have
been through the jcifs code (Type3Message.<init>) and this appears to be the
case; the jcifs code does not distinguish between a LM and LMv2 response
from the client.  My guess then is that these users that are having trouble
authenticating have something flagged on their account in Active Directory
to deny them the ability to authenticate using only the LM password hash, or
simply don't have an LM password hash stored in the DC.  If this is the
case, does anyone know how to create an account with such a configuration?
I really need a reproducible scenario to debug this, but cannot keep asking
users to come to my desk and try to login for me.  Our Identity Management
team has been less than cooperative in trying to identify any potential
problems here (or anywhere else for that matter).

Thanks!

Kevin Tapperson
Consulting Java Developer
Product Development: Enterprise Systems
HCA Information Technology & Services

One Park Plaza B3-2
Nashville, TN 37203
w:  www.hcahealthcare.com

More information about the jcifs mailing list