[jcifs] Jcifs over the internet and proxies

Michael B Allen mba2000 at ioplex.com
Tue Oct 4 17:47:11 GMT 2005

On Tue, 04 Oct 2005 17:48:10 +0100
"Pattison, David" <david.pattison at siemens.com> wrote:

> Hi all,
> I'm wondering how or if there is a solution for the following situation: We
> have a customer at an internal company site, who is accessing our web-app
> over the internet, with the app being help at another company site. The
> problem is that both company sites are behind proxies/firewalls (I believe
> it is an MS proxy of some kind), and the web app itself is on a personal
> network. When a user at the other site tries to access the web app, they are
> given the password prompt, at which they enter the details for the personal
> network (which will in turn authenticate them for the web-app via NTLM). The
> app then simply stalls, and an ethereal trace shows that there are constant
> NTLM_CHALLENGE packets being sent, closely followed by 407 Proxy
> Authentication Required messages. These NTLM_CHALLENGE messages are trying
> to authenticate with the username of the original site- not the username
> which has just been entered (in fact there is no reference to this anywhere
> in the trace I caught).
> Does anyone have any thoughts on why this is happening, or a possible
> solution. My own theory is that once the first NTLM 401 is returned from the
> web app and the valid credentials provided, the proxy is ignoring these and
> replacing them with the remote user's credentials, as these are required for
> web access. Meaning that once it gets to the other side the wrong
> credentials are in use. But as I say, that is just a theory based on my
> limited experience.

You have two different authentication protocols overlapping on top
of one another. The NTLM HTTP authentication handshake is a 3 message
request/reply. The proxy probably want's to authenticate 2 or more of
these messages. This is pretty much a lost cause. You don't want to
use NTLM over the internet anyway. Use Basic authentication. The proxy
will probably understand that and the JCIFS filter will use those creds
against the Windows "domain controller" like it would with NTLM. See
the Filter docs.


PS: Never ever ever ever use NTLM over the Internet. NTLM hashes are
easily cracked if you're not using SSL.

More information about the jcifs mailing list