NTLM Window Authentication

Question

I using the Samba to implement the Window AUthentication. On my web.xml i put this

<filter>
<filter-name>NtlmHttpFilter</filter-name>
<filter-class>jcifs.http.NtlmHttpFilter</filter-class>

<init-param>
    <param-name>jcifs.http.domainController</param-name>
    <param-value>192.168.1.101</param-value>
</init-param>

<!--
    always needed for preauthentication / SMB signatures
-->
<init-param>
    <param-name>jcifs.smb.client.domain</param-name>
    <param-value>NYC-USERS</param-value>
</init-param>
<init-param>
    <param-name>jcifs.smb.client.username</param-name>
    <param-value>somenycuser</param-value>
</init-param>
<init-param>
    <param-name>jcifs.smb.client.password</param-name>
    <param-value>AReallyLoooongRandomPassword</param-value>
</init-param>
</filter>

<filter-mapping>
    <filter-name>NtlmHttpFilter</filter-name>
    <url-pattern>/admin/*</url-pattern>
</filter-mapping>

and once i run the page in admin folder the window login box pop out. What username and password should i key in as currently i was running under Administrator account. I not really understand with it can anyone explain to me ?

<init-param>
    <param-name>jcifs.smb.client.username</param-name>
    <param-value>somenycuser</param-value>
</init-param>
<init-param>
    <param-name>jcifs.smb.client.password</param-name>
    <param-value>AReallyLoooongRandomPassword</param-value>
</init-param>

Can i set the username and password?

Answer 1

Did you try DOMAINNAME\USERNAME?

Answer 2

Since you are logged in as local admin ie will not transmit the required headers for jcifs. so it fails and you need to login into the domain with a valid user on it.

normally it should work with you user/pw combination. if not try for username: domain\username (make sure to use the backslash there).

The username has to be setup on the domaincontroller defined in jcifs.http.domainController

Answer 3

NTLM makes clear distinction between user and domain\user so make sure you include the domain in the auth request.

Answer 4

When using NTLM authentication you authenticate using a windows domain, this is usefull in local intranets with a MS Domain Controller. If you configured your domain controller properly in the web.xml you will be able to authenticate to the website using your windows login username&password assuming you loged in through the same domain you configured in your web.xml Your browser may be configured to authenticate automatically to certain sites, With IE this usually happens by default for sites on your local network (depends on security settings). In Firefox this will not happen automaticlly you need to enable it per site using about:config the "network.automatic-ntlm-auth.trusted-uris" setting.

It is important to note that NTLM authentication however simple is considered insecure, and by authenticating to an untrusted server it is easy for said server to recover your password from the authentication information you send to it.

Answer 5

Here's an open source library, http://spnego.sourceforge.net, that also supports integrated windows authentication/sso.

The library's project page has some examples and installation instructions.