[jcifs] What is Pre Authentication in NTLM?
Asaf Mesika
asaf.mesika at gmail.com
Tue Feb 5 09:03:20 GMT 2008
I've researched this topic a little bit this morning, and dug up a section
called "2.8.9.1 Generating the Session Key", in a <tr_1202197506965>
book<http://ubiqx.org/cifs/SMB.html>named "Implementing CIFS - The
Common Internet FileSystem".
I have two questions, if I may, regarding this:
1. Is this the pre-authentication step jCIFS does?
2. Why can't jCIFS use the user's hash to perform the pre-authentication?
Why does it requires a special user/password designated for it?
Thank you,
Asaf
On Feb 5, 2008 10:18 AM, Michael B Allen <miallen at ioplex.com> wrote:
> On Tue, 5 Feb 2008 10:01:01 +0200
> "Asaf Mesika" <asaf.mesika at gmail.com> wrote:
>
> > Thanks for taking the time to answer.
> >
> > Is there any conditions that this user (used for pre-authentication)
> must
> > uphold in the Active Directory? (Have certain permissions, be a member
> of
> > specific groups, etc...) ?
>
> No.
>
> >
> > Asaf
> > WorkLight
> >
> >
> > On Feb 4, 2008 7:31 PM, Michael B Allen <miallen at ioplex.com> wrote:
> >
> > > On Mon, 4 Feb 2008 18:33:03 +0200
> > > "Asaf Mesika" <asaf.mesika at gmail.com> wrote:
> > >
> > > > Hi,
> > > >
> > > > I've searched for information on Pre Authentication for NTLM and
> haven't
> > > a
> > > > found a decent explanation.
> > > >
> > > > Can anyone explain this issue in detail?
> > > >
> > > > *Background
> > > > *I first tackled the issue, when experiencing a problem: After one
> user
> > > has
> > > > logged on, no other user can log on (SmbException - Access denied).
> > > > Further investigation led me to find out that I had add three jcifs
> > > > properties, as the following document
> > > > <http://jcifs.samba.org/src/docs/ntlmhttpauth.html#signing>explains:
> > > >
> > > > -----[QUOTE]-------
> > > > SMB Signatures and Windows 2003 If the domain controller against
> which
> > > you
> > > > are authenticating clients requires SMB signatures (Windows 2003
> does by
> > > > default), it is recommended that you provide init-parameters for the
> > > > jcifs.smb.client.{domain,username,password} properties to perform
> > > > "preauthentication" for each transport to a domain contoller so that
> a
> > > > proper SMB signing key can be generated.
> > > >
> > > > -----[END QUOTE]-------
> > > >
> > > > Apparently, our Windows 2003 demanded Pre-authentication.
> > > >
> > > > I've started searching for knowledge regarding this
> pre-authentication
> > > in
> > > > NTLM, but found nothing substantial.
> > >
> > > Hi Asaf,
> > >
> > > The term "pre-authentication" is something specific to JCIFS and
> describes
> > > the fact that we must authenticate a connection with a domain
> controller
> > > with a plain-text password so that a valid SMB signing key can be
> > > generated. Only then can we authenticate password hashes submitted by
> > > web clients on that connection.
> > >
> > > Incedentally the term "pre-authentication" is a phrase that is used
> with
> > > regard to getting a TGT in Kerberos. Again, there is no relation.
> > >
> > > Mike
> > >
> > > --
> > > Michael B Allen
> > > PHP Active Directory SPNEGO SSO
> > > http://www.ioplex.com/
> > >
> >
>
>
> --
> Michael B Allen
> PHP Active Directory SPNEGO SSO
> http://www.ioplex.com/
>
-------------- next part --------------
HTML attachment scrubbed and removed
More information about the jcifs
mailing list