[jcifs] Kerberos HTTP authentication

Mike Streeton mike.streeton at ardentia.co.uk
Tue Oct 3 13:57:37 GMT 2006

I have done a bit more work an tried to force Kerberos challenge by
modifying AuthenticationFilter and add replacing:

        resp.addHeader("WWW-Authenticate", "NTLM");        


resp.addHeader("WWW-Authenticate", "Kerberos realm=\"mykdc\"

In the fail(boolean clearSession, HttpServletRequest req,
            HttpServletResponse resp) throws ServletException,
IOException method.

This "worked" once in that it tried to do a Kerberos authentication but
failed somewhere along the way, unfortunately I have not been able to
reproduce this and it still goes for NTLM.

Will let you know if I make any progress


www.ardentia.com the home of NetSearch

-----Original Message-----
From: jcifs-bounces+mike.streeton=ardentia.co.uk at lists.samba.org
[mailto:jcifs-bounces+mike.streeton=ardentia.co.uk at lists.samba.org] On
Behalf Of Mike Streeton
Sent: 03 October 2006 13:57
To: Eric Glass
Cc: jcifs at lists.samba.org
Subject: RE: [jcifs] Kerberos HTTP authentication

Thanks for this Eric, these are the instructions I have been following.
The issue seems to be that Authentication.isNtlm(byte[] token) is always
returning true, indicating that Kerberos authentication is not taking
place. I have tried setting the "Enable Integrated Windows
Authentication (requires restart)" on in IE setup and adding the machine
to the trusted intranet site. So although the use is authenticated it
does not seem to be using Kerberos.

Many Thanks


www.ardentia.com the home of NetSearch
-----Original Message-----
From: Eric Glass [mailto:eric.glass at gmail.com] 
Sent: 03 October 2006 13:44
To: Mike Streeton
Cc: jcifs at lists.samba.org
Subject: Re: [jcifs] Kerberos HTTP authentication

Here's some instructions I posted awhile back:


This was pre-jcifs-ext but should be pretty close.

On 10/3/06, Mike Streeton <mike.streeton at ardentia.co.uk> wrote:
> I have been trying to get the 1.2.9 Kerberos version working with HTTP
> authentication. I copied the AuthenticationFilter.java + other classes
> from jcifs-ext. I have set up a simple app protected by the filter and
> seems fine, the page can call request.getRemoteUser(). The problem is
> eclipse to debug it I cannot see it going through any of the SPNEGO
code and
> I suspect it is still using NTLM. How can I get IE to negotiate a
> connection instead of NTLM.
> Thanks
> Mike
> www.ardentia.com the home of NetSearch

More information about the jcifs mailing list