[jcifs] NTLM and JCIFS: architecture/protocols

Alastair Green alastair.j.green at hotmail.co.uk
Thu Feb 15 17:39:48 GMT 2007


After a lot of reading I'm still puzzling over a question about the 
architecture of the NTLM protocol(s).

Let me lay out my understanding and questions, and then someone can correct 

NTLM is a challenge-response protocol supported by AD, whose client side is 

A Windows machine can run NTLM against an AD DC by using the NTLMSSP 
(possibly through many levels of indirection in terms of the piled APIs MSFT 

If this happens then AD will compare the NTLM hashed version of the u/p pair 
with its own records and authorize or otherwise accordingly.

HTTP NTLM Authentication is a variant of the NTLM protocol, where the 
challenge response messages are a) Base64 encoded, and b) passed in HTTP 
headers, and c) replace standard HTTP authentication exchanges like Basic 
Auth and Digest Auth.

When using NTLM/HTTP the web server end has to decide, between receiving the 
type 2 message-in-a-header and sending the type 3 message, whether the 
hashed u/p pair is good or bad.

Question (if I am roughly right so far): by what means does the web server 
establish the goodness or badness of the hashed auth data?

If the "web server" is the JCIFS HTTP Filter, does it (in classic mode, 
prior to introduction of Kerberos checking) a) do a CIFS authentication 
exchange, if such a thing exists, or b) run a non-HTTP version of NTLM (i.e. 
act as a bridge between NTLM/HTTP and NTLM/proper) or c) something else?

If the JCIFS HTTP Filter is doing Kerberos authentication, does it still do 
NTLM/HTTP between browser and Filter/WS, and merely use Kerberos as a 
goodness establisher, or is there something slicker going on?

Thanks in advance for any help you can give.


MSN Hotmail is evolving – check out the new Windows Live Mail 

More information about the jcifs mailing list