[jcifs] Re: NTLM HTTP broken by Microsoft Security Update ? - False Alarm

[Jim Davidson]

This issue appears to be an NTLM issue, independent of jCIFS.  Microsoft has 
added loopback checking, to prevent reflection attacks.  In our environment, 
the problem has only appeared in cases where the browser and AD Controller 
are running on the same Windows Server machine (which happened to be the 
configuration that I tested).

For those specific cases, there are Registry edits that will enable IE to 
work around the problem.  But, it doesn't appear to be a problem in the 
general case.

-Jim

On 4/24/2009 2:55 PM, Jim Davidson wrote:
> This was alluded to in an earlier posting, but it sort of got lost in 
> the thread.
> 
> Microsoft just released a cumulative security update for Internet 
> Explorer, MS09-014.  We have installed it, and it seems to break jCIFS 
> NTLM HTTP authentication.
> 
> The failure occurs in the last step, SmbSession.logon().  The relevant 
> information from the SmbAuthException is:
>     0xC0000022: jcifs.smb.SmbAuthException: Access is denied.
> 
> An earlier clue is that type1.getSuppliedDomain() returns null, but that 
> occurs in other cases.
> 
> Does this appear to be related to the update?  The problem does not 
> happen in non-updated installations of IE.
> 
> The Microsoft docs talk about blocking "NTLM credential reflection 
> attacks":
> <http://blogs.technet.com/srd/archive/2009/04/14/ntlm-credential-reflection-updates-for-http-clients.aspx> 
> 
> 
> Does this mean that the technique used in the current NTLM HTTP filter 
> has reached the end of its life?  :-(  Or maybe the failure was just 
> coincidental...  Or maybe there's some magical re-configuration that I 
> can do to make things work again?
> 
> Is anyone else seeing this?  Thanks for any help.
> 
> -Jim
> 
>