add NTLM/Spnego/GSSAPI support to the ActiveDirectory authenticator

[GoogleCodeExporter]

Adding at least NTLM support would allow transparent single-sign-on using
the user's Windows domain credentials. This is a feature that is often
requested on the JA-SIG CAS mailing list, so implementing this would
probably make a lot of CAS users happy.

Original issue reported on code.google.com by matt.zuk...@gmail.com on 28 Mar 2007 at 3:10

[GoogleCodeExporter]

Looks like I ran up against a wall with this. I got as far as getting the NTLM
response back from the client, so I I've got the LM password hash. But now I 
don't
know what to do with it. On the back end I have to check it against something (a
samba server, for example)... but I'm not quite sure how to get started on 
that, and
in any case this is quickly getting out of hand. Doing Kerberos authentication
instead of NTLM might just turn out to be easier.

Original comment by matt.zuk...@gmail.com on 11 Apr 2007 at 4:29

• Changed state: OnHold

[GoogleCodeExporter]

This feature would be really nice, because I currently use it within Ja-Sig CAS.

I think you need to check the credentials against the domain controller. 
Probably one
of these libraries can help: http://raa.ruby-lang.org/project/ruby-smb/
or even better:  http://raa.ruby-lang.org/project/activesambaldap/

Original comment by alexku...@googlemail.com on 13 May 2008 at 8:21

[GoogleCodeExporter]

Why do you need to verify the user name and password in the NTLM response 
against a 
domain controller? By being present it shows that the user is trusted by the 
domain 
already. 

Don't you just need to check if you trust the domain which authenticated the 
user by 
comparing the t3.domain with a list of acceptable domains in the config file?

Original comment by noemails...@gmail.com on 30 Sep 2008 at 9:08

[GoogleCodeExporter]

Because nothing prevents anyone from forging the headers NTLM uses.

Original comment by rae...@gmail.com on 5 Mar 2009 at 6:53

[GoogleCodeExporter]

The module from JASIG uses this method:
http://developer.jasig.org/source/browse/jasigsvn/cas3/trunk/cas-server-support-
spnego/src/main/java/org/jasig/cas/support/spnego/authentication/handler/support
/JCIFSSpnegoAuthenticationHandler.java?r=44334

The advantage over ruby is the existance of JCIFS and JCIFS-ext:
http://jcifs-ext.cvs.sourceforge.net/viewvc/jcifs-ext/jcifs-ext/src/jcifs/spnego
/Authentication.java?revision=1.1.1.1&view=markup
they can use. We only have ruby-smb which doesn't have a possiblity to just 
check
username and password.

Any ideas?

Original comment by alexku...@googlemail.com on 23 Apr 2009 at 2:08

[GoogleCodeExporter]

Maybe worth looking at Ruby/NTLM? There's some sample code here:
http://rubyforge.org/forum/forum.php?thread_id=8416&forum_id=6621

I'm not able to look into this right now, but if someone wants to tackle it I'd 
be
happy to provide whatever support I can. The skeleton for an NTLM authenticator 
is
already there in the repo. All we really need is some way of submitting a 
username
and password (to an SMB server, or wherever it is that it needs to go) and 
getting
back a respones saying whether the credentials are valid.

Original comment by matt.zuk...@gmail.com on 23 Apr 2009 at 2:42