NtlmHttpFilter for Windows 10?

[jwb12345]

Hi,

We are in the process of upgrading from Windows 7 to Windows 10. I use jcifs to get access to users' network user id using NtlmHttpFilter and NtlmHttpServletRequest.getRemoteUser(). The jcifs website notes that it does not support SMB3 (which I guess it what is used by Windows 3). Should this functionality work with jcifs-ng on Windows 10?

Thanks, John

[mbechler]

I suppose the issue with the NtlmHttpFilter won't be lack of SMB3 (which jcifs-ng has some support for) but that the filter is not performing proper NTLM authentication but just uses a hack that only works with NTLMv1, which modern systems likely won't support.

[bostandyksoft]

Hi. What kind of hack do you mean? So, is there some way to use jcifs-ng for performing NTLMv2 authentication? We've used Liferay Portal's code, that they used for supporting NTLMv2, but after upgrading to Windows Server 2016 it wont works. Honestly, i'm not familiar with domain authentication so close for find out some points to fix. But there is two constants: 0x600FFFFF //for Windows 2003 0x6013C600 //for Windows 2008 I believe, that if i will find some constant for Windows 2016, then i will fix this issue. But i can't understand what is a constants.

They are used for DcerpcMessage sending. Unfortunately, there is no any documentation about this structure. Can you provide some direction for future researching?

Best regards. Alexey

[mbechler]

The NtlmHttpFilter code just forwards the login information to another server, this essentially exploits a vulnerability in the NTLMv1 protocol. For "real" NTLM(v2) authentication you have to implement the netlogon protocol to interact with the domain controllers. That implementation, which is a bit more involved as there is an additional layer of cryptography there, jcifs does not have.

What are these constants supposed to be?

[bostandyksoft]

This flags (one one them) is used there https://github.com/liferay/liferay-portal/tree/master/modules/apps/portal-security-sso-ntlm/portal-security-sso-ntlm-impl

As negotiateFlags. Can you please suggest some tools, that can help NTLM requests?

Best regards. Alexey

[mbechler]

These flags are used inside a netlogon call, so this does not relate to the SMB config at all. But the netlogon implementation they have there should be a good starting point. If you port that to jcifs-ng, it is possible that It will just work with 2016 and the SMB2 support provided by jcifs-ng.

[smileMurphy]

who has example for jcifs-ng SSO to a system!!!