NTLM Authorization issue

[Marcia]

We have a little in house application that uses NTLM Authorization. I
didn't write it, but it looks as though the code was taken from
directly from this discussion:

http://www.jguru.com/faq/viewquestion.jsp?EID=393110

This code works for most users of Internet Explorer (IE 6). But it
doesn't work on some newer machines that are operating off a different
installation image than older machines. I have two machines and
verified they have the exact same version of internet explorer
(6.0.2900.2180.xpsp_sp2_gdr.070227-2254). On the older one, the
application using the above mentioned code comes up just fine. On the
newer one, the user gets a "Page cannot be found" error.

I've traced the issue down to this section of the above mentioned
code:

if (auth.startsWith("NTLM "))
{
byte[] msg = new
sun.misc.BASE64Decoder().decodeBuffer(auth.substring(5));
int off = 0, length, offset;
if (msg[8] == 1)
{
byte z = 0;
byte[] msg1 = {(byte)'N', (byte)'T', (byte)'L', (byte)'M',
(byte)'S', (byte)'S', (byte)'P', z,(byte)2, z, z, z, z, z, z, z,
(byte)40, z, z, z, (byte)1, (byte)130, z, z,z, (byte)2, (byte)2,
(byte)2, z, z, z, z, z, z, z, z, z, z, z, z};
response.setHeader("WWW-Authenticate", "NTLM " + new
sun.misc.BASE64Encoder().encodeBuffer(msg1));
response.sendError(response.SC_UNAUTHORIZED);
return;
}

Specifically, it is when the
response.sendError(response.SC_UNAUTHORIZED); is sent back.

I searched Microsoft's web site and found this:

http://support.microsoft.com/?kbid=821814

But it looks like that issue was fixed in 2003 and we show a dll much
more recent than the one shown to have fixed the bug. And again, two
machines with the same version and patches for IE, one works, one
doesn't.

Does anybody have any thoughts or suggestions as to what we could do
to get this to work on all workstations with IE 6? Or if there is
something else on the machine or IE configuration that could affect
this behavior? I also painfully verified all the IE settings were the
same.

BTW, it works in Firefox on the affected machines, although the user
is prompted for a login, but this is not considered an acceptable
workaround as this newer image starts to become more prevalent.

Thanks!

 

[Roedy Green]

We have a little in house application that uses NTLM Authorization. I
didn't write it, but it looks as though the code was taken from
directly from this discussion:

Authenticators are SO much easier now.

see http://mindprod.com/jgloss/authentication.html
http://mindprod.com/jgloss/ntlm.html

 

[Marcia]

Authenticators are SO much easier now.

see http://mindprod.com/jgloss/authentication.htmlhttp://mindprod.com/jgloss/ntlm.html

Thanks for the info, could you by chance point me to a code snippet
that uses this class for NTLM auth that will work in java 1.4.2?
Also, somewhere I saw mentioned that NTLM will only work with this
class on windows machines due to licensing issues. Our code runs on
Solaris, will this even be an option for us?

 

[Marcia]

Also, I should clarify that our code is running on the server side as
a servlet. It seems most examples/discussions I am finding focus on
using the Authenticator class on a client machine.

 

[Real Gagnon]

Thanks for the info, could you by chance point me to a code snippet

that uses this class for NTLM auth that will work in java 1.4.2?

http://java.sun.com/j2se/1.4.2/changes.html#networking

Note that the code you are using now is not secure at all.

See the note at
http://www.rgagnon.com/javadetails/java-0441.html

If you are using an application server, it's possible to use NTLM. For
exemple, you can setup BEA WLS to authenticate through NTLM.

Bye.

 

[Roedy Green]

Thanks for the info, could you by chance point me to a code snippet
that uses this class for NTLM auth that will work in java 1.4.2?
Also, somewhere I saw mentioned that NTLM will only work with this
class on windows machines due to licensing issues. Our code runs on
Solaris, will this even be an option for us?

I discus two different methods -- the old 1.4.2 way and the new
Authenticator way. The authenticator code is so simple, I suggest you
just try it.

 

[Roedy Green]

Also, I should clarify that our code is running on the server side as
a servlet. It seems most examples/discussions I am finding focus on
using the Authenticator class on a client machine.

You trying to fool a Windows browser that you are a Windows server.
This is a completely different problem.

I would dig around in the various open source servlet wombs to see if
any of them can do this. Then either use that womb, or cannibalise
its code

see http://mindprod.com/jgloss/servletwomb.html

 

[Marcia]

You trying to fool a Windows browser that you are a Windows server.
This is a completely different problem.

The app in question is one that doesn't access sensitive data, hence
the methodology. It was basically designed to save the user the step
of entering login information by capturing their workstation login and
passing that to the application so we know who they are. It looks
like we are going to have to rewrite this front end portion of the app
anyway, so we'll probably just update it to work like our other apps
that already require the user to enter a login and password. Anyhow,
thanks everyone for your help!