NTLM Authentication in Websphere against LDAP
0 posts in topic
Flat View  Flat View
TOPIC ACTIONS:
 

Posted By:   Diane_Palla
Posted On:   Monday, April 17, 2006 03:59 PM

I saw the thread at http://www.jguru.com/faq/viewquestion.jsp?EID=393110 I used the final code in reply #7: <% String auth = request.getHeader("Authorization"); if (auth == null) { response.setStatus(response.SC_UNAUTHORIZED); response.setHeader("WWW-Authenticate", "NTLM"); response.flushBuffer(); return; } if (auth.startsWith("NTLM ")) { byte[] msg = new sun.misc.BASE64Decoder().decodeBuffer(auth.substring(5)); int off = 0, length, offset; if (msg[8] == 1) { byte z = 0; byte[] msg1 = {(byte)'N', (byte)'T', (byte)'L', (byte)'M', (byte)'S', (byte)'S', (byte)'P', z,(by   More>>
			I saw the thread at http://www.jguru.com/faq/viewquestion.jsp?EID=393110
			

I used the final code in reply #7:


<%
String auth = request.getHeader("Authorization");
if (auth == null)
{
response.setStatus(response.SC_UNAUTHORIZED);
response.setHeader("WWW-Authenticate", "NTLM");
response.flushBuffer();
return;
}
if (auth.startsWith("NTLM "))
{
byte[] msg = new sun.misc.BASE64Decoder().decodeBuffer(auth.substring(5));
int off = 0, length, offset;
if (msg[8] == 1)
{
byte z = 0;
byte[] msg1 = {(byte)'N', (byte)'T', (byte)'L', (byte)'M', (byte)'S', (byte)'S', (byte)'P', z,(byte)2, z, z, z, z, z, z, z,(byte)40, z, z, z, (byte)1, (byte)130, z, z,z, (byte)2, (byte)2, (byte)2, z, z, z, z, z, z, z, z, z, z, z, z};
response.setHeader("WWW-Authenticate", "NTLM " + new sun.misc.BASE64Encoder().encodeBuffer(msg1));
response.sendError(response.SC_UNAUTHORIZED);
return;
}
else if (msg[8] == 3)
{
off = 30;

length = msg[off+17]*256 + msg[off+16];
offset = msg[off+19]*256 + msg[off+18];
String remoteHost = new String(msg, offset, length);

length = msg[off+1]*256 + msg[off];
offset = msg[off+3]*256 + msg[off+2];
String domain = new String(msg, offset, length);

length = msg[off+9]*256 + msg[off+8];
offset = msg[off+11]*256 + msg[off+10];
String username = new String(msg, offset, length);

out.println("Username:"+username+"
");
out.println("RemoteHost:"+remoteHost+"
");
out.println("Domain:"+domain+"
");
}
}

I am trying to make that final code work in Websphere environment against an LDAP server.

IE is responding well to these roundtrips.

However, I believe I have to send the "type 3 message", the last request authentication header sent from browser, and send it LDAP to actually verify if the user/password combination is right. My environment is not IIS so I believe I am missing the authentication that ISS really does. I believe this because any Windows user with the same username in our system can get in even with the wrong password associated with their account.
Question 1 Is this belief mentioned above correct?
			

I am using JNDI Java code to send the credentials to the Active Directory LDAP server as the last step to really authenticate the Windows user against LDAP,e.g.,

loginToLDAP(username + "@domain.com", auth or new String (msg, "UTF-8" or new String(msg0, "UTF-8") or something else?),

where msg0= sun.misc.BASE64Decoder().decodeBuffer(auth.substring(0)); instead of substring(5)

Question 2
			My question what should prinicpal and credentials should I send LDAP?  What are considered the credentials?  My guesses are THe auth string, string version of the msg[] array (which is encoded version of auth.substring(5), or encoded string of the entire auth string?  I saw one of Microsoft's authentication page at http://technet2.microsoft.com/WindowsServer/f/?en/Library/8196d68e-776a-4bbc-99a6-d8c19f36ded41033.mspx say that the NTLM credential is "An array of strings containing the domain name, user name, and encrypted password"
			


boolean loginToLDAP(String principal, String credentials) {
//principal = "username@domain.com"
//credentials = string representation of type 3 message encoded or decoded? or what exactly
//secutiry auth "GSS-SPNEGO" means NTLM for Windows Active Directory

boolean successfulLogin = false;
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://ldap.url.com:389);
env.put(Context.SECURITY_AUTHENTICATION, "GSS-SPNEGO");
env.put(Context.SECURITY_PRINCIPAL, principal);
env.put(Context.SECURITY_CREDENTIALS, credentials);

DirContext ctx = null;

try {
ctx = new InitialDirContext(env); // throws an authentication exception if I put in the wrong password.
successfulLogin = true;
}
catch(NamingException ne) {
successfulLogin = false;
}
return successfulLogin;
}
   <<Less
About | Sitemap | Contact