[jcifs] JCIFS for Multiple Domains

Yannick yannick at smellyfrog.com
Fri Nov 10 07:57:01 GMT 2006

Yes it certainly is.

Well I don't know if this helps, but we have a very simple IP filtering 
mechanism in place to determine if users are from the company (Therefore 
part of one of our domains) or from outside. We then only offer 
automatic authentication to our internal users. We implemented this by 
creating a subclass of the NtlmHttpfilter class. Of course this also 
means maintaining a list of IP addresses or ranges of IPs, which is a 
bit of a pain.
If JCIFS was not allowing you to do what you need, maybe you could 
implement something similar; i.e. switching domains according to the IP 
range the user belongs to.

As you can see, we have reached the limit of my knowledge of JCIFS. :o)


Merlin Beedell wrote:

> The product can connect to a mix of trusted and completely separate 
> Directory domains. Where, for example, we have a single system used at 
> an ISP, with 5 or so separate companies-worth of employees attaching - 
> then there is no trust between the ADs. So what we need is:
> - any number of jcifs threads, each one configured to a different AD
> - when a user connects to the login web page, some criteria is used to 
> determine which company they belong to
> - the web then uses the associated jcifs thread to validate the user
> Perhaps this is not possible. But worth asking, I think.
> Merlin
>> From: Yannick <yannick at smellyfrog.com>
>> To: Merlin Beedell <merlin_b_wizard at hotmail.co.uk>
>> CC: jcifs at lists.samba.org
>> Subject: Re: [jcifs] JCIFS for Multiple Domains
>> Date: Wed, 08 Nov 2006 16:10:46 +0000
>> Hi Merlin,
>> I'm not a specialist, but from what I understand if you have domains 
>> trusting each other, then you can implement multiple domains 
>> authentication.
>> We have implemented this successfully in Banta. We have different 
>> domain from different offices and location for example in the US, 
>> Europe and Singapore and all our users are authenticated 
>> automatically, even though our web and app servers are located in the 
>> US only.
>> I'm not familiar with the way the network and domain controller are 
>> setup, but on the JCFIS side it was pretty transparent.
>> Hope this helps
>> Yannick
>> Merlin Beedell wrote:
>>> Is there a good/standard/any way to create a [Tomcat] Website that 
>>> can use JCIFS to provide Single Sign On for MULTIPLE domains. In 
>>> other words, for the website to determine which company the user is 
>>> coming from, and then to target that company's Active Directory 
>>> using JCIFS for authentication.
>>> As I understand it, JCIFS runs at the site level, which means that 
>>> it can only work with a single LDAP/Active Directory host. [We have 
>>> it working in this way]. However...
>>> Let us assume that a single company has aquired 2 other companies. 
>>> They operate 3 separate active directories, all be it in a forrest. 
>>> The Web site allows people from all 3 companies to access it. Once 
>>> the web has determined which company the user is from, then it needs 
>>> to do a JCIFS lookup for sign-on.
>>> Is this even possible?
>>> _________________________________________________________________
>>> Be the first to hear what's new at MSN - sign up to our free 
>>> newsletters! http://www.msn.co.uk/newsletters
> _________________________________________________________________
> Windows Live™ Messenger has arrived. Click here to download it for 
> free! http://imagine-msn.com/messenger/launch80/?locale=en-gb

More information about the jcifs mailing list