[jcifs] NTLMSSP (SSPI) work with IE client ???

Ajax Zheng adzheng at gmail.com
Sat Apr 11 03:06:04 GMT 2009 

Hello Mike,

Thanks a lot for your response. Actually I just figured it out. The reason
being was I was using the Type-2 format mentioned in this link
http://www.innovation.ch/personal/ronald/ntlm.html  and apparently it's not
compatible with IE. But surprisingly IE still sends out a valid Type-3
package but failed the final authorization. The solution for this is just to
encode the entire NTLMSSP buffer generated from the AcceptSecurityContext()
API and send it back to IE and IE would response with the right package and
pass the authorization. It's kind of interesting that MS is using the same
way to do NTLM over HTTP and normal NTLM in client-server mode since the
hash generated from the the GSSAPI is much longer than the format used in
HTTP and you need to pass it over the internet. But I guess they just want
their GSSAPI to be consistent and I think IE is using the same API.

Thanks,
Andy

On Fri, Apr 10, 2009 at 7:09 PM, Michael B Allen <ioplex at gmail.com> wrote:

> On Fri, Apr 10, 2009 at 4:06 PM, Ajax Zheng <adzheng at gmail.com> wrote:
> > Hello,
> >
> > I wrote a small test web server trying to talk to IE client for NTLM
> > authentication. I'm using SSPI AcceptSecurityContext() etc in my
> > server side code. I was able to get IE send me the Type-3 message with
> > LM and NT response hashes. But when I called AcceptSecurityContext()
> > the 2nd time to pass in these response data, it returned ACCESS LOGIN
> DENIED
> > (The logon attempt failed. Unknown user name or bad password).
> >
> > I checked the decoded Type-3 message received from IE and found out that
> the
> > LM
> > response field are only filled the first 8 bytes and the rest 16 bytes
> are
> > all 0x00.
> >
> > I'm not sure if this is the reason that cause the AcceptSecurityContext()
> to
> > fail.
> >
> > Does anyone know if a server implementing NTLMSSP(using SSPI,
> > AcceptSecurityContext() api etc..) authentication will work with a IE
> > client performing NTLM authentication?
>
> This isn't really the right place to ask this question.
>
> Your code should work. I suspect something is slightly off like some
> AcceptSecContext flags.
>
> Get a capture of IE doing NTLMSSP with IIS and then another of IE
> doing NTLMSSP with your server. Then compare each field and in
> particular the NTLMSSP flags. As long the communication is identical
> it should work.
>
> Good luck,
> Mike
>
> --
> Michael B Allen
> Java Active Directory Integration
> http://www.ioplex.com/
>
-------------- next part --------------
HTML attachment scrubbed and removed

More information about the jcifs mailing list