NTLM Authentication in a Web Application (java)

Question

I am using following filter to enable NTLM Authentication, in my web-application.

I get the windows browser authentication prompt. It is working fine. Except for th

Answer 1

As Edward said, just extracting a name from a type 3 (response) NTLM message doesn't say anything about whether the client who generated it was entitled to do so.

NTLM is not like Kerberos, where there's a signed token that a service can validate on its own; you have to make a connection to the domain controller every time to ask it whether the token is legit. Implementing an MSRPC connection to check an NTLM token is really hard work.

In the old days you could do this in JCIFS using a jcifs.smb.SmbSession, and jcifs.http.NtlmHttpFilter would do just that for you. However, this only works for NTLMv1, which is old, insecure, and increasingly unlikely to be used for anything. (I believe 'ntlm-java' linked above is also NTLMv1-only.)

Try the ntlmv2auth project.

NTLM-over-HTTP is enough of a pain in the arse that it's usually better to use any other method of authentication available to you.