[jcifs] Changing the Auth Protocol Order

Eric Glass eric.glass at gmail.com
Tue Sep 12 16:41:12 GMT 2006


You would need to poke around with the code a bit; either of the
proposed approaches would do what you are proposing:

1) Changing the order of the authentication mechanisms to list Basic
before NTLM will cause IE to select NTLM (this is actually contrary to
the RFC's on how it *should* behave; it is supposed to select the
strongest supported mechanism).

2) Disabling NTLM would (obviously) cause it to select Basic also.

Neither of these is necessarily a *good* approach for the scenario
outlined below, however; sending Basic credentials over the internet
is A Bad Thing (NTLM is not much better).

NTLM through proxies is quite problematic, as you noted.  One approach
you might try is using HTTPS instead of HTTP; as the proxy just does a
CONNECT in that case, it is in effect establishing a persistent
connection over which the encrypted requests are tunneled.  This may
solve both your problems (NTLM to the web server through the proxy,
and encrypted traffic over the network).


Eric

On 9/12/06, Christian Becker <christian.becker at continentalsoftware.com> wrote:
> Thanks for your reply
>
> The disable of the NTLM Protocol should only affect the Headers, so that NTLM is no longer offered to the Browsers.
> But jcifs should callenge the via BASIC submitted data against the DCs.
>
> The Proxy exclusion would not work, in my case the Authentication goes over the Internet, the Server is in our Datacenter and the users are in an other company behind the squid Proxy.
>
> -----Ursprüngliche Nachricht-----
> Von: Michael B Allen [mailto:mba2000 at ioplex.com]
> Gesendet: Dienstag, 12. September 2006 17:24
> An: Christian Becker
> Cc: jcifs at lists.samba.org
> Betreff: Re: [jcifs] Changing the Auth Protocol Order
>
> Add the target host to the proxy exclusion list in IE.
>
> Otherwise, if all you want is BASIC then you don't need the JCIFS Filter
> at all.
>
> On Tue, 12 Sep 2006 11:43:44 +0200
> "Christian Becker" <christian.becker at continentalsoftware.com> wrote:
>
> > We are currently expecting problems with jcifs and a squid proxy.
> >
> > After some research I found that NTLM is a very bad protocol for Proxys.
> >
> > In our jcifs Config we already enabled the BASIC Authentication Method,
> > but to now it not really seams to work, because NTLM is the first
> > offered Protocol.
> >
> > Is there a way to change it, that BASIC is the First in List?
> >
> > Or could NTLM be totally disabled?
> >
> >
> >
> > We use jcifs as complete untouched lib and so we won't want to change
> > anything by us self.
> >
> >
> >
> > Greetings,
> >
> > Christian Becker
> >
> >
>
>
> --
> Michael B Allen
> PHP Active Directory SSO
> http://www.ioplex.com/
>


More information about the jcifs mailing list