[jcifs] Re: NTLM HTTP broken by Microsoft Security Update ? - False
Alarm
Jim Davidson
jdavidson at acm.org
Fri Apr 24 23:37:09 GMT 2009
This issue appears to be an NTLM issue, independent of jCIFS. Microsoft has
added loopback checking, to prevent reflection attacks. In our environment,
the problem has only appeared in cases where the browser and AD Controller
are running on the same Windows Server machine (which happened to be the
configuration that I tested).
For those specific cases, there are Registry edits that will enable IE to
work around the problem. But, it doesn't appear to be a problem in the
general case.
-Jim
On 4/24/2009 2:55 PM, Jim Davidson wrote:
> This was alluded to in an earlier posting, but it sort of got lost in
> the thread.
>
> Microsoft just released a cumulative security update for Internet
> Explorer, MS09-014. We have installed it, and it seems to break jCIFS
> NTLM HTTP authentication.
>
> The failure occurs in the last step, SmbSession.logon(). The relevant
> information from the SmbAuthException is:
> 0xC0000022: jcifs.smb.SmbAuthException: Access is denied.
>
> An earlier clue is that type1.getSuppliedDomain() returns null, but that
> occurs in other cases.
>
> Does this appear to be related to the update? The problem does not
> happen in non-updated installations of IE.
>
> The Microsoft docs talk about blocking "NTLM credential reflection
> attacks":
> <http://blogs.technet.com/srd/archive/2009/04/14/ntlm-credential-reflection-updates-for-http-clients.aspx>
>
>
> Does this mean that the technique used in the current NTLM HTTP filter
> has reached the end of its life? :-( Or maybe the failure was just
> coincidental... Or maybe there's some magical re-configuration that I
> can do to make things work again?
>
> Is anyone else seeing this? Thanks for any help.
>
> -Jim
>
>
More information about the jcifs
mailing list