views:

614

answers:

1

can anyone elaborate the different?

i'm currently using ntlmssp.authenticaten ( jcifs) but seems not able to do getPassword(). it's always return null

+1  A: 

There is a difference.

With Kerberos, you will have to ask your domain administrator for a Service Principal Name (SPN) for your web app. Essentially this is an entry in the Active Directory with a cryptographic key that will let your web app decode authentication requests.

With NTLM, you don't need the cooperation of your administrator. Your web app will get some information from the client (ie. browser) that it can use to attempt a logon to a domain controller. The information from the client doesn't include the user's password - that would be too insecure. Instead, the NTLM filter gets a challenge from the domain controller, passes it to the client. The client hashes the password with the challenge to create a response. When this response is sent back to the domain controller as a logon request, the domain controller will tell the jcifs filter whether the password was correct or not.

Some jcifs classes have a getPassword method, because it allows you to create the logon request from a username and password directly. If you use that approach, then as well as setting the password you can retrieve it. But this isn't the approach used when you let the browser authenticate for you, so you won't be able to retrieve the actual password.

John