[jcifs] Issues with lmCompatibility and NTLMfilter

Gidado-Yisa Immanuel gidado at users.sourceforge.net
Mon Jan 22 01:10:19 GMT 2007 

I installed 1.2.8 of NtlmHttpFilter into my current webapplication.  I 
set the following parameters appropriately:

  jcifs.smb.domain
  jcifs.smb.od

These are the results that I see:

   OS Registry Setting for  Web      User
      lmcompatibilitylevel  Browser  Authenticates?
1. XP 4                     IE6      no (doesn't respond to Type2 msg)
2. 2K 0                     IE6      yes
3. XP 4 (not used by FF)    FF1.5    yes

I'm trying to resolve case (1) which represents abuot 60% of my users.  
What I noticed in looking at the packets via wireshark for (1) and (3) 
is that the following flags are set in the Type1 (negotiate) message:

  (1) XP/IE6   - Flags: 0xa208b207
  (3) XP/FF1.5 - Flags: 0x00088207

So in case (1), IE6 is setting these additional flags:

  negotiate 56
  negotiate 128
  negotiate NTML key

Now these flags are defined in NtlmFlags.java 
<http://jcifs.samba.org/src/src/jcifs/ntlmssp/NtlmFlags.java>, but are 
never used throughout jcifs.  In fact, the flags segment is constructed 
from Type2Message 
<http://jcifs.samba.org/src/src/jcifs/ntlmssp/Type2Message.java>.getDefaultFlags() 
which knows about 4 or 5 flags altogether.  My thinking is that with 
lmcompatibilitylevel=4, IE wants to do NTLMv2,  but it does not see any 
of the appropriate flags returned in the type2 message, and quits.  Will 
returning these flags help IE to complete the negotiation and send the 
type3 authorization?

My other approach was to investigate how the challenge was constructed.  
Perhaps IE sees the challenge and determines that it is not NTLMv2.  I 
looked in NtlmPasswordAuthentication.java 
<http://jcifs.samba.org/src/src/jcifs/smb/NtlmPasswordAuthentication.java> 
at how the challenge is constructed.  Eventually (I think) this code is 
called:

    public byte[] getUnicodeHash( byte[] challenge ) {
        if( hashesExternal ) {
            return unicodeHash;
        }
        switch (LM_COMPATIBILITY) {
        case 0:
        case 1:
        case 2:
            return getNTLMResponse( password, challenge );
        case 3:
        case 4:
        case 5:
            /*
            if( clientChallenge == null ) {
                clientChallenge = new byte[8];
                RANDOM.nextBytes( clientChallenge );
            }
            return getNTLMv2Response(domain, username, password, null,
                    challenge, clientChallenge);
            */
            return new byte[0];
        default:
            return getNTLMResponse( password, challenge );
        }
    }

Notice that for cases 3-5, the code is commented out (though it is not 
commented out in getAnsiHash()).  Anyone know the reason for this?  I'm 
hoping that someone has run into these problems before and can point me 
in the right direction.

I will start experimenting with flags to see if that fixes the problem 
with IE at lmcompatibilitylevel=4.

Thanks,
Gidado


-------------- next part --------------
HTML attachment scrubbed and removed

More information about the jcifs mailing list