We have a webapp written in .NET that uses NTLM for SSO. We are writing a new webapp in Java that will tightly integrate with the original application. Unfortunately, Java has no support for performing the server portion of NTLM authentication and the only library that I can find requires too much setup to be allowed by IT.
To work around this, I came up with a remote authentication scheme to work across applications and would like your opinions on it. It does not need to be extremely secure, but at the same time not easily be broken.
- User is authenticated into .NET application using NTLM
- User clicks link that leaves .NET application
- .NET application generates random number and stores it in the user table along with the user's full username (domain\username)
- Insecure token is formed as random number:username
- Insecure token is run through secure cipher (likely AES-256) using pre-shared key stored within the application to produce a secure token
- The secure token is passed as part of the query string to the Java application
- The Java application decrypts the secure key using the same pre-shared key stored within its own code to get the insecure token
- The random number and username are split apart
- The username is used to retrieve the user's information from the user table and the stored random number is checked against the one pulled from the insecure token
- If the numbers match, the username is put into the session for the user and they are now authenticated
- If the numbers do not match, the user is redirected to the .NET application's home page
- The random number is removed from the database