[jcifs] RE: UPDATED help - ntlmhttpfilter almost working!! RE
Jim.Smyth at broadvision.com
Thu Oct 20 09:18:32 GMT 2005
thanks for your answer. In the end I have managed to resolve the issue - I am not entirely sure of the reason, but it seems that it may have been related to a cookie set by the application server. Instead of going directly to the start page of the application, I now start from a html redirect into the site and I get the expected behaviour (I need to investigate this a bit more, but at least now it does work!).
Some further points.
1. I still do see a double GET request for the NTLMSSP_AUTH from the browser, with the second request showing only the first initial of user name, host name and domain. I dont understand why this happens (but hey, it works, I shouldnt complain!)
2. IIS is not nice. Well, actually IIS will remove any AUTHORIZATION header from the request before passing the request to a cgi or plugin as this is considered a security hole. In order to prevent this happening it is necessary to turn off 'integrated windows authentication' for the proxy module in IIS. (Apache does the same thing and in fact you need to recompile it with -DSECURITY_HOLE_PASS_AUTHORIZATION (http://www.w3.org/1999/02/26-modules/User/Apache-defer-auth.html)). The best solution would be to not have to go through IIS, but this constraint is unavoidable.
From: Michael B Allen
To: Smyth, Jim
Cc: jcifs at lists.samba.org
Sent: 10/19/2005 6:52 PM
Subject: Re: [jcifs] RE: UPDATED help - ntlmhttpfilter almost working!!
On Wed, 19 Oct 2005 08:13:41 -0700
"Smyth, Jim" <Jim.Smyth at broadvision.com> wrote:
> I am trying to get jcifs working in an application server which sits
> behind an IIS server (there is a proxy plugin on IIS). My only
> requirement is to get the logged in windows user's username in the app
> server (not IIS) so that I can automatically log the user in without
> them typing credentials. I want to use jcifs to do this because of
> features it offers above just the NTLM exchange.
I'd say there's a very good chance IIS is interfering with the NTLM
exchange. Why don't you just use IIS's builtin Negotiate support. It
supports NTLMv2 and Kerberos. There has to be a way to get the username
of the user that made the exchange. Use IIS and then check your request
headers. If IIS were nice they might insert the username there.
More information about the jcifs