[jcifs] What is Pre Authentication in NTLM?
Asaf Mesika
asaf.mesika at gmail.com
Tue Feb 5 08:01:01 GMT 2008
Thanks for taking the time to answer.
Is there any conditions that this user (used for pre-authentication) must
uphold in the Active Directory? (Have certain permissions, be a member of
specific groups, etc...) ?
Asaf
WorkLight
On Feb 4, 2008 7:31 PM, Michael B Allen <miallen at ioplex.com> wrote:
> On Mon, 4 Feb 2008 18:33:03 +0200
> "Asaf Mesika" <asaf.mesika at gmail.com> wrote:
>
> > Hi,
> >
> > I've searched for information on Pre Authentication for NTLM and haven't
> a
> > found a decent explanation.
> >
> > Can anyone explain this issue in detail?
> >
> > *Background
> > *I first tackled the issue, when experiencing a problem: After one user
> has
> > logged on, no other user can log on (SmbException - Access denied).
> > Further investigation led me to find out that I had add three jcifs
> > properties, as the following document
> > <http://jcifs.samba.org/src/docs/ntlmhttpauth.html#signing>explains:
> >
> > -----[QUOTE]-------
> > SMB Signatures and Windows 2003 If the domain controller against which
> you
> > are authenticating clients requires SMB signatures (Windows 2003 does by
> > default), it is recommended that you provide init-parameters for the
> > jcifs.smb.client.{domain,username,password} properties to perform
> > "preauthentication" for each transport to a domain contoller so that a
> > proper SMB signing key can be generated.
> >
> > -----[END QUOTE]-------
> >
> > Apparently, our Windows 2003 demanded Pre-authentication.
> >
> > I've started searching for knowledge regarding this pre-authentication
> in
> > NTLM, but found nothing substantial.
>
> Hi Asaf,
>
> The term "pre-authentication" is something specific to JCIFS and describes
> the fact that we must authenticate a connection with a domain controller
> with a plain-text password so that a valid SMB signing key can be
> generated. Only then can we authenticate password hashes submitted by
> web clients on that connection.
>
> Incedentally the term "pre-authentication" is a phrase that is used with
> regard to getting a TGT in Kerberos. Again, there is no relation.
>
> Mike
>
> --
> Michael B Allen
> PHP Active Directory SPNEGO SSO
> http://www.ioplex.com/
>
-------------- next part --------------
HTML attachment scrubbed and removed
More information about the jcifs
mailing list