[jcifs] Very generic question about NTLM HTTP authentication

Michael B Allen ioplex at gmail.com
Mon Feb 9 00:26:58 GMT 2009

On Sun, Feb 8, 2009 at 5:31 PM, André Warnier <aw at ice-sa.com> wrote:
> The first-cited article explains why NTLMv2 cannot work with the HTTP filter
> (the man-in-the-middle thing).
> Somewhere else in the jCIFS documentation, it is mentioned that the server
> which one authenticates against (theoretically a DC), in fact does not need
> to be a DC at all, and can be any station that is in the Windows domain of
> interest.
> I am reasoning that in this case, which happens to be the particular case of
> my current problematic client, there should be no question of MITM, or
> should there ?  The "server" part of the "server token" should really point
> to the machine itself against which IE is authenticating, or not ?
> Or am I missing something still ?

Hi André,

No, it doesn't matter if the "domainController" points to a real
domain controller. The web server is still the MITM. It wouldn't
matter if the web server *was* the domain controller.

NTLMv2 cannot work with the MITM technique used by the JCIFS HTTP
Filter. It is theoretically impossible.

I don't know how to explain this any clearer than I did in the cited
post from October. At first I was annoyed that there was yet another
person basically in disbelief over this. But now I realize that this
is a very technical issue and that we only have ourselves to blame for
using the hack in the first place. The MITM thing worked great but as
we're slowly finding out it's done. Everyone's just going to have to
find another way. And with good reason - NTLMv1 uses DES which is
pretty weak.

> If I am missing something, and it cannot work, then in all generality, what
> kind of mechanism would work ?

That is explained in the cited post:

"A proper implementation would do as IIS would do which in the case of
NTLM would be to use the DCERPC NETLOGON service. Specifically, the
web server would generate it's own random challenge with the proper
target information, send that to the browser, collect the password
hashes and then call the NetrSamLogon RPC with the challenge that we
generated and the corresponding password hashes."

>  I am really open-minded in that respect.  I
> am considering up to using an IIS proxy server for my applications, thinking
> that this IIS server should be able to do proper client NTLM authentication,
> and that I should be able to figure out a way to pass this on with each
> request to my Apache and Tomcat parts.

You do realize that if you're running Tomcat through IIS then you can
just turn on IWA right?


Michael B Allen
Java Active Directory Integration

More information about the jcifs mailing list