[jcifs] What is Pre Authentication in NTLM?
Michael B Allen
miallen at ioplex.com
Mon Feb 4 17:31:20 GMT 2008
On Mon, 4 Feb 2008 18:33:03 +0200
"Asaf Mesika" <asaf.mesika at gmail.com> wrote:
> Hi,
>
> I've searched for information on Pre Authentication for NTLM and haven't a
> found a decent explanation.
>
> Can anyone explain this issue in detail?
>
> *Background
> *I first tackled the issue, when experiencing a problem: After one user has
> logged on, no other user can log on (SmbException - Access denied).
> Further investigation led me to find out that I had add three jcifs
> properties, as the following document
> <http://jcifs.samba.org/src/docs/ntlmhttpauth.html#signing>explains:
>
> -----[QUOTE]-------
> SMB Signatures and Windows 2003 If the domain controller against which you
> are authenticating clients requires SMB signatures (Windows 2003 does by
> default), it is recommended that you provide init-parameters for the
> jcifs.smb.client.{domain,username,password} properties to perform
> "preauthentication" for each transport to a domain contoller so that a
> proper SMB signing key can be generated.
>
> -----[END QUOTE]-------
>
> Apparently, our Windows 2003 demanded Pre-authentication.
>
> I've started searching for knowledge regarding this pre-authentication in
> NTLM, but found nothing substantial.
Hi Asaf,
The term "pre-authentication" is something specific to JCIFS and describes
the fact that we must authenticate a connection with a domain controller
with a plain-text password so that a valid SMB signing key can be
generated. Only then can we authenticate password hashes submitted by
web clients on that connection.
Incedentally the term "pre-authentication" is a phrase that is used with
regard to getting a TGT in Kerberos. Again, there is no relation.
Mike
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/
More information about the jcifs
mailing list