[jcifs] NTLMHttpFilter for multiple Domains?

Kevin Tapperson kevin at tapperson.net
Wed Apr 30 06:42:13 GMT 2008

I did an implementation of this several years ago.  What you would need to
do is to get the value provided by the client in the NTLM type 1 message for
the domain.  (Note that this is the workstation domain and not the user's
domain.  But, if the two differ, there would have to be a trust relationship
between them in order to allow the user to login to the workstation
anyway.)  You can get the domain from the Type1Message object by calling the
getSuppliedDomain method.  In some cases, I found that the client does not
send a domain.  I cannot recall what cases these were.  I think it was
certain browser configurations, for example, if IE was set such that it
didn't automatically send the credentials, but popped up the authentication
dialog, and possibly something about Windows 2003.  After you have the
domain from the type 1 message, you need to generate a challenge using a
domain controller from the supplied domain to use in the type 2 message that
the server sends back to the browser.  In order to accomplish this, you'll
need to move some code around, as the implementation of NtlmHttpFilter
generates a challenge before it calls the NtlmSSp class, which is where the
Type1Message object is constructed.  You will also likely need to always use
the load balancing code in the NtlmHttpFilter (which stores the challenge
and domain controller that generated it in the HttpSession) so that your
authentication requests on receipt of a type 3 message get directed back to
the same domain controller.

I hope this helps.

On Wed, Apr 23, 2008 at 10:44 AM, AJ Weber <aweber at comcast.net> wrote:

>  Has anyone extended the NTLMHttpFilter to support multiple "allowed"
> domains?
> I may have a situation where multiple domains are allowed for
> authentication to a site, and they don't have an appropriate Trust
> Relationship setup.
> I think I could extend it to support this myself, but didn't want to
> "reinvent the wheel" if someone else already had done it and can share.
> Thanks in advance,
> AJ

Kevin Tapperson
-------------- next part --------------
HTML attachment scrubbed and removed

More information about the jcifs mailing list