[jcifs] NTLMv2

Michael B Allen ioplex at gmail.com
Fri Jun 20 18:07:30 GMT 2008 

On 6/20/08, Matt Parker <parkerman at gmail.com> wrote:
> On Mon, Jun 9, 2008 at 2:59 PM, Michael B Allen <ioplex at gmail.com> wrote:
>  > On 6/9/08, Matt Parker <parkerman at gmail.com> wrote:
>  >> I'm sure you get this request all the time, but I'm wondering if
>  >>  NTLMv2 proper (not LMv2) is on the roadmap, and if so, if you have any
>  >>  idea whatsoever approximately when.
>  >>
>  >>  If not, and if I wanted to contribute it, is it simply a matter of
>  >>  implementing the correct behavior as outlined in the davenport spec
>  >>  (which I understand may not be trivial)? Or are there some blocking
>  >>  issues?
>  >
>  > If you're using the NTLM HTTP Filter then IIRC it would not work
>  > without additional RPCs necessary to implement NETLOGON pass-through
>  > authentication.
>
>
> Sorry, what's IIRC? I'm using a custom HTTP filter.
>
>
>  >
>  > But as a client (the initiator as opposed to acceptor) of
>  > authentication it should be fairly straight forward to add NTLMv2
>  > support to JCIFS. In fact, the code mostly already exists in Eric's
>  > "Jarapac" package from sourceforge. Check it out.
>
>
> Thanks, I'll give jarapac a look. I'm actually the acceptor of
>  authentication. The clients already have v2 capability, and now I'm on
>  the hook to provide it.

I would have to research the whole issue but the acceptor is much more
difficult.

Also, I was wrong about Jarapac. The initiator code isn't there either.

>  > The only reason I didn't do NTLMv2 yet was because I started a 2.0
>  > JCIFS with a completely reworked security infrastructure that properly
>  > interfaced with Java's subject based security model and I was going to
>  > address NTLMv2 in that work. But I never had the time to complete it
>  > before leaving my mega-corp job.
>
>
> I'm surprised v2 hasn't come up more, but I imagine that it will now
>  that Vista uses it by default. And if you're taking votes, I'd vote
>  for v2 before integration with JAAS.

Me too. But apparently people are scraping by with NTLMv1 still.

Mike

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

More information about the jcifs mailing list