[security-dev 01600]: Re: Request for comment: spec: NTLM as a SASL mech

Max (Weijun) Wang Weijun.Wang at Sun.COM
Thu Feb 4 00:19:54 PST 2010

On Feb 4, 2010, at 4:15 PM, Natalie Li wrote:

>> public final class Client {
>>    /**
>>     * Creates an NTLM Client instance.
>>     * @param version the NTLM version to use, which can be:
>>     * <ol>
>>     * <li>1: Original NTLM v1
>>     * <li>1lm: Original NTLM v1, LM only
>>     * <li>1ntlm: Original NTLM v1, NTLM only
>>     * <li>1+: NTLM v1 with Client Challenge
>>     * <li>2: NTLM v2
>>     * <li>2lm: NTLM v2, LM only
>>     * <li>2ntlm: NTLM v2, NTLM only
>>     * </ol>
>>     * If null, "1+" will be used.
> I'm not familiar with the Java syntax so could you please elaborate on how you come up with the param version?
> You can find the following 2 fields in NTLMSSP Type 3 message:
> LmChallengeResponse
> NtChallengeResponse
> So, the Type 3 message could contain the following challenge responses:
> LM and NTLM
> LMv2 and NTLMv2

I observe that when the client only provides LM, the authentication still goes fine. The same for v2 messages. This is why I allow the client to choose whatever it want to send.

By "1+", I mean the NTLM2 response described at --


Altogether, the client can choose 7 styles.

>>    public byte[] type3(byte[] type2, byte[] nonce) throws NTLMException;
> I'm missing the context. What's the purpose of the nonce when generating the type 3 message?

The class does not deal with random bytes generation inside, so the caller needs to provide the nonce.

>> 1. As described by the MSDN article, when LMCompatibilityLevel is set to a
>>   high value on the server, certain low value request is not supported
> This statement isn't clear (See below).

Not clear, I'll use your words below on NTLMv2.

>> 2. There's no protocol for the server to tell the client to use a higher
>>   version, so you must manually setup this config on the client side
> The use of NTLM or NTLMv2 authentication is not negotiated between the client and server.  Hence, authentication might fail if the server mandates NTLMv2 authentication while the client uses NTLM authentication.

Yes, this is what I say "manually setup this config on the client side".


> Natalie
> Max (Weijun) Wang wrote:
>> Hi All
>> Please take a review on this draft before I send it for CCC:
>>   http://cr.openjdk.java.net/~weijun/spec/NTLMSASL.0.1
>> The spec includes a raw NTLM API defined in com.sun.* namespace and describes the newly added SASL mech.
>> Thanks
>> Max

More information about the security-dev mailing list