Forum Stats

  • 3,780,926 Users
  • 2,254,456 Discussions


IE not reply type 3 NTLM message

843810 Member Posts: 46,938
edited Feb 6, 2010 7:47AM in Kerberos & Java GSS (JGSS)
HI All,

I am implementing a SSO using NTLM. The steps are:

Step1: Cliente ask for resource
Step2: Server ask for NTLM negotiation
Step 3: Client sends to the server NTLM type 1 message
Step4: Server sends back to the client NTLM type 2 message
Step5: Client sends type 3 message.

The problem I have is in Step 5, when the browser receives the type 2 message, it just stops displaying "IE cannot display the webpage" and sends nothing to the server.

I have checked that I am sending a correctly the type 2 message, using a sniffer I can see the NTLM type 2 message (challenge) and it is well formed (I have test also different flags configuration). I have test also with Firefox and the same behaviour. Server and client are in the same Domain.

I will appreciate any clue in what I could try or investigate as I have tested all possible things and I am blocked.

Thanks in advance.


  • 843810
    843810 Member Posts: 46,938
    I am implementing a SSO using NTLM
    Is this for fun or a real project?

    You may want to consider taking a look at some open source software that implements SSO:

    NTLM -

    Kerberos -
  • 843810
    843810 Member Posts: 46,938
    It is a real proyect

    Because of the requeriments I can not use spnego, Jcifs is what I am using. I am using tomcat 5.5, JDK 1.4.2 and IE 6, although I have test with other versions of Tomcat, JDK and IE (and firefox) with the same result.
    I have set also the registry keys ntlmminclientsec and ntlmminserversec to several values (10 is the right one I guess) and also lmcompatibilitylevel has been set to 0.

    I can see with HTTP packets capture that the type2 message is well formed, and I have try also setting different flags values for this type 2 message.

    Thanks in advance.
  • 843810
    843810 Member Posts: 46,938
    Have you thought about installing two versions of Tomcat on your server?

    One running JCIFS/JDK6 and the other your code/JDK1.4

    By the way, JDK5 reached it's end of service life last year.

    Also, it might be cheaper to upgrade the JDK instead of writing your own code SSO code.

    Anyway, the idea behind the two versions is so that you can compare
    your type2 message with the JCIFS type2 message.

    Finally, are you able to share with us what/which feature(s) of JCIFS is lacking or not working for you?
  • 843810
    843810 Member Posts: 46,938

    Thanks for your answer. First, I have solved the issue. The problem was in my implementation, I was using JCIFs classes within my own implementation and I changed the way the challenge data was sent in type2 message (I thought it was random data, following specifications and seems I was wrong).
    So now JCIFs works fine but the problem now is that JCIFs is only valid for NTLMv1 and it seems that NTLMv2 is going to be needed. If I am not wrong JRE 1.4.2 does not support NTLMv2 cipher and in anycase I have not found anything similar to JCIFs with NTLMv2 support (JESPA is recommended but it is not free and requeries JRE 1.5).

    So I guess that the only option is the one you pointed. I already proposed it to the client, the idea is to have a 1.6 VM that will received the SPNEGO ticket received by the web server running under 1.4 (through a web service, socket, ...), perform the validation and send the answer back.

    Does anyone have more ideas to implement a SSO with JDK1.4 and not NTLMv1?

    Thanks in advance
  • 843810
    843810 Member Posts: 46,938
    edited Feb 6, 2010 7:47AM
    I don't undertand why you are dealing with this NTLM/JCIFS/1.4.2 crap. Move to JDK6 and a simple SPNEGO/Kerberos solution is less than 100 lines of code as a tomcat 6 authenticator. I coded myself. Take the aforementioned which is great code!
This discussion has been closed.