[jcifs] NTLMHttpFilter for multiple Domains?

Jose Luis Martinez Avial jlmartinez at pb-santander.com
Fri Apr 24 03:05:36 GMT 2009

Kevin, do you remember which configuration provoked that the
Type1Message does not provide a domain? I have modified the
ntlmhttpfilter to work with three domains, and it has been working for a
year, until recently the people logged in one of the domains is not able
to authenticate, because the client (IE) doesn't send the domain. I
don't understand why, because the other domains are working, and nothing
has changed in the domain which is failing. Any ideas?







From: jcifs-bounces+jlmartinez=bpi-gruposantander.com at lists.samba.org
[mailto:jcifs-bounces+jlmartinez=bpi-gruposantander.com at lists.samba.org]
On Behalf Of Kevin Tapperson
Sent: Wednesday, April 30, 2008 2:42 AM
To: AJ Weber
Cc: jcifs at lists.samba.org
Subject: Re: [jcifs] NTLMHttpFilter for multiple Domains?


I did an implementation of this several years ago.  What you would need
to do is to get the value provided by the client in the NTLM type 1
message for the domain.  (Note that this is the workstation domain and
not the user's domain.  But, if the two differ, there would have to be a
trust relationship between them in order to allow the user to login to
the workstation anyway.)  You can get the domain from the Type1Message
object by calling the getSuppliedDomain method.  In some cases, I found
that the client does not send a domain.  I cannot recall what cases
these were.  I think it was certain browser configurations, for example,
if IE was set such that it didn't automatically send the credentials,
but popped up the authentication dialog, and possibly something about
Windows 2003.  After you have the domain from the type 1 message, you
need to generate a challenge using a domain controller from the supplied
domain to use in the type 2 message that the server sends back to the
browser.  In order to accomplish this, you'll need to move some code
around, as the implementation of NtlmHttpFilter generates a challenge
before it calls the NtlmSSp class, which is where the Type1Message
object is constructed.  You will also likely need to always use the load
balancing code in the NtlmHttpFilter (which stores the challenge and
domain controller that generated it in the HttpSession) so that your
authentication requests on receipt of a type 3 message get directed back
to the same domain controller.

I hope this helps.

On Wed, Apr 23, 2008 at 10:44 AM, AJ Weber <aweber at comcast.net> wrote:

Has anyone extended the NTLMHttpFilter to support multiple "allowed"


I may have a situation where multiple domains are allowed for
authentication to a site, and they don't have an appropriate Trust
Relationship setup.


I think I could extend it to support this myself, but didn't want to
"reinvent the wheel" if someone else already had done it and can share.


Thanks in advance,


Kevin Tapperson

Internet communications are not secure and therefore Banco 
Santander International does not accept legal responsibility for 
the contents of this message. Any views or opinions presented are 
solely those of the author and do not necessarily represent those 
of Banco Santander International unless otherwise specifically 

Las comunicaciones via Internet no son seguras y por lo tanto 
Banco Santander International no asume responsabilidad legal ni 
de ningun otro tipo por el contenido de este mensaje. Cualquier 
opinion transmitida pertenece unicamente al autor y no 
necesariamente representa la opinion del Banco Santander 
International a no ser que este expresamente detallado.

-------------- next part --------------
HTML attachment scrubbed and removed

More information about the jcifs mailing list