[jcifs] meaning of jcifs.samba.client.useExtendedSecurity

Michael B Allen ioplex at gmail.com
Wed Jan 28 15:53:13 GMT 2009

On Wed, Jan 28, 2009 at 6:39 AM, Jan Asle Kroknes <janasle at gmail.com> wrote:
> Hi all,
> I've started playing around with jCIFS but I can't quite get it to work..
> I'm using 1.3.3 and have a W2k3 domain controller. When attempting to fetch
> the challenge using SmbSession.getChallenge(kdc) I don't get anything..
> However, if I set jcifs.samba.client.useExtendedSecurity to false I get the
> 8 byte challenge as expected.
> Is this a bug in jCIFS or is it a problem with the domain controller?

Neither. Extended security is the "new" way to exchange tokens to
perform authentication which as of 1.3 is the default because it is
required to do NTLMv2. There's still a challenge that can be extracted
from extended security tokens but the SmbSession.getChallenge and
getChallengeForDomain methods are for doing "man-in-the-middle" style
authentication (used by the HTTP Filter to do SSO) which does not work
with NTLMv2 so there's no point in "fixing" those methods to return
the proper challenge as it would be of no use to anyone.

Just set jcifs.lmCompatibility = 0 and
jcifs.smb.client.useExtendedSecurity = false to use NTLMv1. Then it
will work (unless security policy requires NTLMv2).


Michael B Allen
Java Active Directory Integration

More information about the jcifs mailing list