[jcifs] MS-CHAP and MS-CHAP-V2 possible?

Michael B Allen mba2000 at ioplex.com
Tue Feb 27 03:55:29 GMT 2007

On Mon, 26 Feb 2007 16:57:09 -0800
Mike Bean <bean at alcatel-lucent.com> wrote:

> I have some JNI code to perform LsaLogonUser calls on Windows to 
> validate MS-CHAP and MS-CHAP-V2 responses.  It looks like you should be 
> able to do the same with JCIFS but it appears that challenges must be 
> chosen by DC.  Unfortunately I need to specify a challenge rather than 
> get one from DC.  Is there any way to create a 
> NtlmPasswordAuthentication object with external hashes and challenge and 
> perform a logon to validate hashes?


>  Can I get the user password hashed 
> twice to use in generating MPPE keys, I believe this is the user session 
> key?

You could do the NetrSamLogon RPC (that's what LsaLogonUser does). You
supply the challenge and the password hashes and get back the session key
(I assume the session key must be sufficent to do MPPE).

I don't think we have any netlogon.idl at the momement but between Samba
SVN, MSDN and Wireshark you should be able to fill in enough of it to
produce a JCIFS MSRPC stub with our midlc compiler.

Another way to do it might be to use digest authentication. I don't
know the details but the Heimdal guys just implemented the functional
equivalent of NetrSamLogon to authenticate NTLM clients. It also gives
you the session key.


Michael B Allen
PHP Active Directory SSO

More information about the jcifs mailing list