[jcifs] What is Pre Authentication in NTLM?
Michael B Allen
miallen at ioplex.com
Tue Feb 5 08:18:52 GMT 2008
On Tue, 5 Feb 2008 10:01:01 +0200
"Asaf Mesika" <asaf.mesika at gmail.com> wrote:
> Thanks for taking the time to answer.
>
> Is there any conditions that this user (used for pre-authentication) must
> uphold in the Active Directory? (Have certain permissions, be a member of
> specific groups, etc...) ?
No.
>
> Asaf
> WorkLight
>
>
> On Feb 4, 2008 7:31 PM, Michael B Allen <miallen at ioplex.com> wrote:
>
> > On Mon, 4 Feb 2008 18:33:03 +0200
> > "Asaf Mesika" <asaf.mesika at gmail.com> wrote:
> >
> > > Hi,
> > >
> > > I've searched for information on Pre Authentication for NTLM and haven't
> > a
> > > found a decent explanation.
> > >
> > > Can anyone explain this issue in detail?
> > >
> > > *Background
> > > *I first tackled the issue, when experiencing a problem: After one user
> > has
> > > logged on, no other user can log on (SmbException - Access denied).
> > > Further investigation led me to find out that I had add three jcifs
> > > properties, as the following document
> > > <http://jcifs.samba.org/src/docs/ntlmhttpauth.html#signing>explains:
> > >
> > > -----[QUOTE]-------
> > > SMB Signatures and Windows 2003 If the domain controller against which
> > you
> > > are authenticating clients requires SMB signatures (Windows 2003 does by
> > > default), it is recommended that you provide init-parameters for the
> > > jcifs.smb.client.{domain,username,password} properties to perform
> > > "preauthentication" for each transport to a domain contoller so that a
> > > proper SMB signing key can be generated.
> > >
> > > -----[END QUOTE]-------
> > >
> > > Apparently, our Windows 2003 demanded Pre-authentication.
> > >
> > > I've started searching for knowledge regarding this pre-authentication
> > in
> > > NTLM, but found nothing substantial.
> >
> > Hi Asaf,
> >
> > The term "pre-authentication" is something specific to JCIFS and describes
> > the fact that we must authenticate a connection with a domain controller
> > with a plain-text password so that a valid SMB signing key can be
> > generated. Only then can we authenticate password hashes submitted by
> > web clients on that connection.
> >
> > Incedentally the term "pre-authentication" is a phrase that is used with
> > regard to getting a TGT in Kerberos. Again, there is no relation.
> >
> > Mike
> >
> > --
> > Michael B Allen
> > PHP Active Directory SPNEGO SSO
> > http://www.ioplex.com/
> >
>
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/
More information about the jcifs
mailing list