[jcifs] NTLMHttpFilter for multiple Domains?

AJ Weber aweber at comcast.net
Wed Apr 30 12:38:23 GMT 2008

Helps a lot.  I was just getting back to writing this yesterday (coincidentally).  My next step was to really understand which portions of the code are performing which of the messages, and it sounds like that's going to be very important, because of your tip on re-arranging the code.


  ----- Original Message ----- 
  From: Kevin Tapperson 
  To: AJ Weber 
  Cc: jcifs at lists.samba.org 
  Sent: Wednesday, April 30, 2008 2:42 AM
  Subject: Re: [jcifs] NTLMHttpFilter for multiple Domains?

  I did an implementation of this several years ago.  What you would need to do is to get the value provided by the client in the NTLM type 1 message for the domain.  (Note that this is the workstation domain and not the user's domain.  But, if the two differ, there would have to be a trust relationship between them in order to allow the user to login to the workstation anyway.)  You can get the domain from the Type1Message object by calling the getSuppliedDomain method.  In some cases, I found that the client does not send a domain.  I cannot recall what cases these were.  I think it was certain browser configurations, for example, if IE was set such that it didn't automatically send the credentials, but popped up the authentication dialog, and possibly something about Windows 2003.  After you have the domain from the type 1 message, you need to generate a challenge using a domain controller from the supplied domain to use in the type 2 message that the server sends back to the browser.  In order to accomplish this, you'll need to move some code around, as the implementation of NtlmHttpFilter generates a challenge before it calls the NtlmSSp class, which is where the Type1Message object is constructed.  You will also likely need to always use the load balancing code in the NtlmHttpFilter (which stores the challenge and domain controller that generated it in the HttpSession) so that your authentication requests on receipt of a type 3 message get directed back to the same domain controller.

  I hope this helps.

  On Wed, Apr 23, 2008 at 10:44 AM, AJ Weber <aweber at comcast.net> wrote:

    Has anyone extended the NTLMHttpFilter to support multiple "allowed" domains?

    I may have a situation where multiple domains are allowed for authentication to a site, and they don't have an appropriate Trust Relationship setup.

    I think I could extend it to support this myself, but didn't want to "reinvent the wheel" if someone else already had done it and can share.

    Thanks in advance,

  Kevin Tapperson

-------------- next part --------------
HTML attachment scrubbed and removed

More information about the jcifs mailing list