5 Replies Latest reply: Feb 6, 2010 6:47 AM by 843810 RSS

    IE not reply type 3 NTLM message

      HI All,

      I am implementing a SSO using NTLM. The steps are:

      Step1: Cliente ask for resource
      Step2: Server ask for NTLM negotiation
      Step 3: Client sends to the server NTLM type 1 message
      Step4: Server sends back to the client NTLM type 2 message
      Step5: Client sends type 3 message.

      The problem I have is in Step 5, when the browser receives the type 2 message, it just stops displaying "IE cannot display the webpage" and sends nothing to the server.

      I have checked that I am sending a correctly the type 2 message, using a sniffer I can see the NTLM type 2 message (challenge) and it is well formed (I have test also different flags configuration). I have test also with Firefox and the same behaviour. Server and client are in the same Domain.

      I will appreciate any clue in what I could try or investigate as I have tested all possible things and I am blocked.

      Thanks in advance.
        • 1. Re: IE not reply type 3 NTLM message
          I am implementing a SSO using NTLM
          Is this for fun or a real project?

          You may want to consider taking a look at some open source software that implements SSO:

          NTLM - http://jcifs.samba.org/src/docs/ntlmhttpauth.html

          Kerberos - http://spnego.sourceforge.net
          • 2. Re: IE not reply type 3 NTLM message
            It is a real proyect

            Because of the requeriments I can not use spnego, Jcifs is what I am using. I am using tomcat 5.5, JDK 1.4.2 and IE 6, although I have test with other versions of Tomcat, JDK and IE (and firefox) with the same result.
            I have set also the registry keys ntlmminclientsec and ntlmminserversec to several values (10 is the right one I guess) and also lmcompatibilitylevel has been set to 0.

            I can see with HTTP packets capture that the type2 message is well formed, and I have try also setting different flags values for this type 2 message.

            Thanks in advance.
            • 3. Re: IE not reply type 3 NTLM message
              Have you thought about installing two versions of Tomcat on your server?

              One running JCIFS/JDK6 and the other your code/JDK1.4

              By the way, JDK5 reached it's end of service life last year.

              Also, it might be cheaper to upgrade the JDK instead of writing your own code SSO code.

              Anyway, the idea behind the two versions is so that you can compare
              your type2 message with the JCIFS type2 message.

              Finally, are you able to share with us what/which feature(s) of JCIFS is lacking or not working for you?
              • 4. Re: IE not reply type 3 NTLM message

                Thanks for your answer. First, I have solved the issue. The problem was in my implementation, I was using JCIFs classes within my own implementation and I changed the way the challenge data was sent in type2 message (I thought it was random data, following http://curl.haxx.se/rfc/ntlm.html specifications and seems I was wrong).
                So now JCIFs works fine but the problem now is that JCIFs is only valid for NTLMv1 and it seems that NTLMv2 is going to be needed. If I am not wrong JRE 1.4.2 does not support NTLMv2 cipher and in anycase I have not found anything similar to JCIFs with NTLMv2 support (JESPA is recommended but it is not free and requeries JRE 1.5).

                So I guess that the only option is the one you pointed. I already proposed it to the client, the idea is to have a 1.6 VM that will received the SPNEGO ticket received by the web server running under 1.4 (through a web service, socket, ...), perform the validation and send the answer back.

                Does anyone have more ideas to implement a SSO with JDK1.4 and not NTLMv1?

                Thanks in advance
                • 5. Re: IE not reply type 3 NTLM message
                  I don't undertand why you are dealing with this NTLM/JCIFS/1.4.2 crap. Move to JDK6 and a simple SPNEGO/Kerberos solution is less than 100 lines of code as a tomcat 6 authenticator. I coded myself. Take the aforementioned spnego.sf.net which is great code!