[jcifs] Meaning / usage of "ssnLimit"

Michael B Allen ioplex at gmail.com
Thu Dec 11 14:45:32 GMT 2008 

On Thu, Dec 11, 2008 at 5:23 AM,  <Sascha_Klamm at tonbeller.com> wrote:
> Hello Mike,
>> my suspicion would be that the DC requires NTLMv2.
> Imho this isn't our customers problem, since in the test env. it works and
> in production the same DC is used...
>
>> the JCIFS NTLM HTTP Authentication Filter does not and will never
> support NTLMv2
> What does this mean? We don't know much about the JCIFS library that
> hasn't to do with the "JCIFS NTLM HTTP Authentication" chapter... our
> intention of using JCIFS was the "single sign on" feature which is
> realised by the filter - do we have a problem with this if NTLMv2 is
> required? Do we have to write an own filter via the API...?

NTLM is the "challenge response" security protocol used by Windows to
authenticate users and NTLM is also what the NTLM HTTP Filter uses.
NTLMv2 is a newer more secure "version 2" of that protocol. For
cryptographic reasons, the technique that is used by JCIFS to marshall
the NTLMSSP messages between the HTTP client and the domain controller
as a "man-in-the-middle" cannot work with NTLMv2. NTLMv2 is becoming
more common and for this reason and others the NTLM HTTP Filter will
be removed from JCIFS some time in the future.

But I do not know that NTLMv2 is the problem you are seeing. I do not
know what the problem is that you are seeing.

>> unfortunate that it's been flagged as a solution by people googling
> around
> Well, we found it on the official jcifs page... :)
> http://jcifs.samba.org/src/docs/ntlmhttpauth.html#signing

Ah, indeed. The discouraging remarks should probably use stronger
language but technically what it says is true and the the ssnLimit
thing should work without error. But of course preauthentication
should also work which just leads me again to NTLMv2. You might want
to check the server lmCompatibility level.

Mike

> "Michael B Allen" <ioplex at gmail.com>
> Gesendet von: jcifs-bounces+aweber=comcast.net at lists.samba.org
> 10.12.2008 18:10
>
> An
> Sascha_Klamm at tonbeller.com
> Kopie
> jcifs at lists.samba.org
> Thema
> Re: [jcifs] Meaning / usage of "ssnLimit"
>
>
>
>
>
>
> Looks like pre-authentication is simply failing. If you're certain
> that it's the right password my suspicion would be that the DC
> requires NTLMv2.  But the JCIFS NTLM HTTP Authentication Filter does
> not and will never support NTLMv2 (technically the preauth step could
> work with NTLMv2 since you have the password but that wouldn't do you
> much good since the Filter still wouldn't work).
>
> If course I don't know what the problem is. This is just a guess.
>
> Also, as I've said many times, setting ssnLimit=1 is not a good idea.
> It's unfortunate that it's been flagged as a solution by people
> googling around and then reposting it.
>
> Mike
>
>
>
> --
> Michael B Allen
> PHP Active Directory SPNEGO SSO
> http://www.ioplex.com/
>
>
> <div style="font-family:sans-serif;font-size:10pt;">
> <p><b>TONBELLER AG</b><br>
> Werner-von-Siemens-Str. 2<br>
> D-64625 Bensheim <br>
> Germany</p>
>
> <a href="http://www.tonbeller.com" target="_blank">www.tonbeller.com</a>
>
> <p>Register Court: District Court Darmstadt<br>
> Registration: HRB 21474<br>
> Managing Board: Rutger Hetzler (CEO), Sebastian Hetzler, Torsten Mayer<br>
> Chairman of the Supervisory Board: R&uuml;diger Brand</p>
>
> <hr noshade="noshade" size="1" style="margin:20px 0px;">
>
> <p>This message is for the designated recipient only and may contain
> privileged,
> proprietary, or otherwise private information. If you have received it
> in error,
> please notify the sender immediately and delete the original. Any
> unauthorised copying or
> dissemination of this message is strictly prohibited.</p>
>
> <p>Diese E-Mail enth&auml;lt vertrauliche und/oder rechtlich
> gesch&uuml;tzte Informationen.
> Wenn Sie nicht der richtige Adressat sind oder diese E-Mail
> irrt&uuml;mlich erhalten
> haben, informieren Sie bitte sofort den Absender und vernichten Sie
> diese E-Mail.
> Das unerlaubte Kopieren sowie die Weitergabe dieser E-Mail ist nicht
> gestattet.</p>
>
> </div>
>



-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

More information about the jcifs mailing list