[jcifs] NTLMSSP (SSPI) work with IE client ???

Michael B Allen ioplex at gmail.com
Sat Apr 11 02:09:37 GMT 2009

On Fri, Apr 10, 2009 at 4:06 PM, Ajax Zheng <adzheng at gmail.com> wrote:
> Hello,
> I wrote a small test web server trying to talk to IE client for NTLM
> authentication. I'm using SSPI AcceptSecurityContext() etc in my
> server side code. I was able to get IE send me the Type-3 message with
> LM and NT response hashes. But when I called AcceptSecurityContext()
> the 2nd time to pass in these response data, it returned ACCESS LOGIN DENIED
> (The logon attempt failed. Unknown user name or bad password).
> I checked the decoded Type-3 message received from IE and found out that the
> LM
> response field are only filled the first 8 bytes and the rest 16 bytes are
> all 0x00.
> I'm not sure if this is the reason that cause the AcceptSecurityContext() to
> fail.
> Does anyone know if a server implementing NTLMSSP(using SSPI,
> AcceptSecurityContext() api etc..) authentication will work with a IE
> client performing NTLM authentication?

This isn't really the right place to ask this question.

Your code should work. I suspect something is slightly off like some
AcceptSecContext flags.

Get a capture of IE doing NTLMSSP with IIS and then another of IE
doing NTLMSSP with your server. Then compare each field and in
particular the NTLMSSP flags. As long the communication is identical
it should work.

Good luck,

Michael B Allen
Java Active Directory Integration

More information about the jcifs mailing list