[jcifs] Type1Message with no domain and workstation

Michael B Allen ioplex at gmail.com
Fri Jun 24 21:34:51 MDT 2011 

This issue has been removed from the TODO list because some basic
tests showed that Windows clients do not include the domain or
workstation fields in the NTLMSSP_NEGOTIATE message (at least not
under my test conditions).

Mike

-- 
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/

On Fri, Jun 18, 2010 at 12:22 AM, Michael B Allen <ioplex at gmail.com> wrote:
> Hi Michael,
>
> I have added your observation to the TODO list as a possible NTLMSSP
> domain / workstation field discrepancy for further investigation.
>
> Thanks for the feedback.
>
> Mike
>
> On Wed, Jun 16, 2010 at 10:01 PM, michaelc <michaelc at idssoftware.com> wrote:
>>
>> Hi,
>>
>> Wireshark 1.2.8 shows that when FireFox 3.5 uses SSL Tunneling to CONNECT via
>> Microsoft ISA 2006, it sends a Type1 Message with no domain and workstation.
>> However, the security buffer do exist for these two field, making the total
>> size of the NTLMSSP to be 32 bytes. This behavior is also confirmed by this
>> article (right before the Type1 Message Exception):
>>
>>  http://davenport.sourceforge.net/ntlm.html#theType1Message
>>
>> The current 1.3.14 release jCIFS will send a malformed Type1Message if its
>> constructor is like this:
>>
>>  message = new Type1Message(0, null, "");
>>
>> This message is only 16 bytes long, with the two security buffers omitted
>> altogether. The Wireshark folks deem this NTLMSSP message malformed.
>>
>> It is time to move away from this Windows 95/98 style malformed Type1 message.
>> Above is the fix (a great example of less is more). I can't paste the diff
>> as it unless changing > to - and < to + to get around the "You seem to be
>> top-posting. Don't do that."
>>
>> --Michael
>>
>> $ diff jcifs/ntlmssp/Type1Message.java
>> ../../../jcifs_1.3.14/src/jcifs/ntlmssp/Type1Message.java
>> 131a132
>> -             boolean hostInfo = false;
>> 133a135
>> -                 hostInfo = true;
>> 142a145
>> -                 hostInfo = true;
>> 151c154,155
>> +             byte[] type1 = new byte[32 + domain.length + workstation.length];
>> ---
>> -             byte[] type1 = new byte[hostInfo ?
>> -                     (32 + domain.length + workstation.length) : 16];
>> 155,156c159,162
>> +             writeSecurityBuffer(type1, 16, 32, domain);
>> +             writeSecurityBuffer(type1, 24, 32 + domain.length, workstation);
>> ---
>> -             if (hostInfo) {
>> -                 writeSecurityBuffer(type1, 16, 32, domain);
>> -                 writeSecurityBuffer(type1, 24, 32 + domain.length,
>>  workstation);
>> -             }

More information about the jCIFS mailing list