This content has been marked as final. Show 5 replies
I am implementing a SSO using NTLMIs this for fun or a real project?
You may want to consider taking a look at some open source software that implements SSO:
NTLM - http://jcifs.samba.org/src/docs/ntlmhttpauth.html
Kerberos - http://spnego.sourceforge.net
It is a real proyect
Because of the requeriments I can not use spnego, Jcifs is what I am using. I am using tomcat 5.5, JDK 1.4.2 and IE 6, although I have test with other versions of Tomcat, JDK and IE (and firefox) with the same result.
I have set also the registry keys ntlmminclientsec and ntlmminserversec to several values (10 is the right one I guess) and also lmcompatibilitylevel has been set to 0.
I can see with HTTP packets capture that the type2 message is well formed, and I have try also setting different flags values for this type 2 message.
Thanks in advance.
Have you thought about installing two versions of Tomcat on your server?
One running JCIFS/JDK6 and the other your code/JDK1.4
By the way, JDK5 reached it's end of service life last year.
Also, it might be cheaper to upgrade the JDK instead of writing your own code SSO code.
Anyway, the idea behind the two versions is so that you can compare
your type2 message with the JCIFS type2 message.
Finally, are you able to share with us what/which feature(s) of JCIFS is lacking or not working for you?
Thanks for your answer. First, I have solved the issue. The problem was in my implementation, I was using JCIFs classes within my own implementation and I changed the way the challenge data was sent in type2 message (I thought it was random data, following http://curl.haxx.se/rfc/ntlm.html specifications and seems I was wrong).
So now JCIFs works fine but the problem now is that JCIFs is only valid for NTLMv1 and it seems that NTLMv2 is going to be needed. If I am not wrong JRE 1.4.2 does not support NTLMv2 cipher and in anycase I have not found anything similar to JCIFs with NTLMv2 support (JESPA is recommended but it is not free and requeries JRE 1.5).
So I guess that the only option is the one you pointed. I already proposed it to the client, the idea is to have a 1.6 VM that will received the SPNEGO ticket received by the web server running under 1.4 (through a web service, socket, ...), perform the validation and send the answer back.
Does anyone have more ideas to implement a SSO with JDK1.4 and not NTLMv1?
Thanks in advance
I don't undertand why you are dealing with this NTLM/JCIFS/1.4.2 crap. Move to JDK6 and a simple SPNEGO/Kerberos solution is less than 100 lines of code as a tomcat 6 authenticator. I coded myself. Take the aforementioned spnego.sf.net which is great code!