FW: [jcifs] NTLM authentication

André Warnier aw at ice-sa.com
Thu Apr 23 21:18:20 GMT 2009

Just for the record, I am also very interested in the same subject.
Basically my issue is the following one, which might overlap yours and 
the OP's to some extent.

We have developed a browser applet in Java, which allows the user to 
select a series of files/directories locally on his workstation, and 
send them to a webserver as POSTs (one POST per file).  The applet is 
smart enough to pick up proxy settings from the browser (if any), and 
apply them to its own POSTs if needed.
For the POST part, we used the Apache Commons HTTPClient 3.x library.
The POSTS are multipart/form-data, because in addition to the file 
itself, there are some additional parameters being posted each time.
Generally, it works fine.

However, we have a problem when the POSTs have to go through a corporate 
proxy which requires NTLM authentication.
The Apache HTTPClient library does not handle that.
Sun's java.net.URL class handles this fine, and seems to "magically" do 
whatever's needed, with GETs and also with basic POSTs (url-encoded).
But java.net.URL does not handle "multipart/form-data" posts, and it 
seems quite complicated to add this capability from the outside.
So for the moment, we're stuck, and conjuring up many swearwords to the 
attention of whomever invented proxies with NTLM authentication.

One frustrating part in all this, is that the browser in which this 
applet runs, has no problem at all authenticating to the proxy and 
sending POSTs through it (to submit its html <forms> e.g.). But the 
applet running in the browser does.


Michael B Allen wrote:
> On Thu, Apr 23, 2009 at 3:16 PM, Clapham, Paul <pclapham at core-mark.com> wrote:
>> Sorry, I sent this link to Suvendu only instead of the list last time.
>> http://sourceforge.net/projects/ntlmaps/
>> It's written in Python but I expect it shouldn't be hard to figure out the NTLM part.
> Yeah, I've seen that (and cntlm) but I would like to find something
> more definitive. In particular I'm curious as to what Microsoft's
> proxy software is. I've tried to search around on their website but I
> just don't know enough about it to get a toe hold. Then again I
> haven't spent much time on it.
> Thanks tho.
> Mike
>> -----Original Message-----
>> From: jcifs-bounces+pclapham=core-mark.com at lists.samba.org [mailto:jcifs-bounces+pclapham=core-mark.com at lists.samba.org] On Behalf Of Michael B Allen
>> Sent: April 23, 2009 10:46
>> To: Suvendu_Mohapatra
>> Cc: jcifs at lists.samba.org
>> Subject: Re: FW: [jcifs] NTLM authentication
>> On Thu, Apr 23, 2009 at 12:46 PM, Suvendu_Mohapatra <Suvendu_mohapatra at satyam.com> wrote:
>>> I am posting this mail again because my exchange server gave some error during post for first time. If you have received this mail, then kindly ignore this and sorry for spamming your mail box.
>>> Hi,
>>>        I am trying to replay back my Grinder script through network proxy authorization type NTLM. But the Grinder tool does not support NTLM authentication. So every time I am getting response code "proxy authorization 407". So I am trying to write a code by using 3rd party package so that Grinder will support NTLM authentication.
>> It sounds like you want to implement the client side of NTLM proxy authentication in this tool that you're using.
>> Proxy authentication is slightly different from authenticating with an HTTP server directly. I don't have a proxy server that supports NTLM (although I do need an exemplary one to implement NTLM proxy authentication elsewhere so if someone knows about NTLM proxies please let me know) so I cannot comment on the details but I think you basically just want to use jcifs.smb.client.NtlmContext.initSecContext
>> with the jcifs.util.Base64 class in a loop to emit and consume tokens between the client and the proxy server. Once that completes succcessfully, the original request will go through.
>> However, you must first understand that NTLM is a multi-request process and figure out how that will integrate with this tool that you're using. That is very unclear. You have some research to do regarding the protocol and the tool. WireShark will be required for that.
>> Mike
>> --
>> Michael B Allen
>> Java Active Directory Integration
>> http://www.ioplex.com/

More information about the jcifs mailing list