[jcifs] Obtaining SessionKey from DC for signing

Michael B Allen ioplex at gmail.com
Tue Mar 30 10:15:51 MDT 2010 

On Tue, Mar 30, 2010 at 5:22 AM, Johnny Kimble <johnnykimble at gmail.com> wrote:
> Hi all,
>
> I've struggled to find specific information about this scenario online, maybe
> because I'm looking in the wrong places, or maybe because I'm asking the wrong
> questions...
>
> What I don't understand is how, programmatically, a CIFS server gets a
> MAC\session key from a domain controller in order to sign messages.
>
> For example, Client and Server both require signing, and are both part of a
> domain controlled by Domain Controller. When the Client (for example, Windows
> 7/Vista)
> makes a request to the Server, the Server then has to somehow communicate with
> Domain Controller (is this pass through authentication?) and in addition to
> authenticating the Client, the DC must also supply the Server with the
> SessionKey so that the Server can sign messages.
>
> I've been looking at various specifications, netlogon, kerberos and the gss-api
> but can't find this specific bit of information. What protocol is used between
> the Server and the Domain Controller to ask the DC to send the SessionKey, or
> MAC?
>
> I've also taken a look over the samba source code, but am struggling to
> pinpoint where this takes place.
>
> Any help, advice or direction would be greatly appreciated.

Hi Johnny,

This is a little out of scope for this list but in simple terms the
exact way in which a session key is generated depends on the protocol
being used. For example JCIFS uses NTLM but there are multiple ways to
generate the signing key that depends on what version is used, whether
or not "key exchange" is negotiate, etc. It's non-trivial.

But again, this is not something you need to know about to use JCIFS
so I can't help you much with this.

Microsoft recently published fairly detailed documentation about a lot
of their protocols. Google for "wspp documentation". You can download
zip files of PDFs from Microsoft's website that has all sorts of
details about stuff like generating the session key.

Mike

-- 
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/

More information about the jCIFS mailing list