[security-dev 01602]: Re: Request for comment: spec: NTLM as a SASL mech

Natalie Li Natalie.Li at Sun.COM
Thu Feb 4 08:15:53 UTC 2010


>
> public final class Client {
>     /**
>      * Creates an NTLM Client instance.
>      * @param version the NTLM version to use, which can be:
>      * <ol>
>      * <li>1: Original NTLM v1
>      * <li>1lm: Original NTLM v1, LM only
>      * <li>1ntlm: Original NTLM v1, NTLM only
>      * <li>1+: NTLM v1 with Client Challenge
>      * <li>2: NTLM v2
>      * <li>2lm: NTLM v2, LM only
>      * <li>2ntlm: NTLM v2, NTLM only
>      * </ol>
>      * If null, "1+" will be used.

I'm not familiar with the Java syntax so could you please elaborate on 
how you come up with the param version?
You can find the following 2 fields in NTLMSSP Type 3 message:

LmChallengeResponse
NtChallengeResponse

So, the Type 3 message could contain the following challenge responses:

NTLM
LM and NTLM
LMv2 and NTLMv2
 
>     public byte[] type3(byte[] type2, byte[] nonce) throws NTLMException;
I'm missing the context. What's the purpose of the nonce when generating 
the type 3 message?

> 1. As described by the MSDN article, when LMCompatibilityLevel is set to a
>    high value on the server, certain low value request is not supported
This statement isn't clear (See below).

> 2. There's no protocol for the server to tell the client to use a higher
>    version, so you must manually setup this config on the client side
The use of NTLM or NTLMv2 authentication is not negotiated between the 
client and server.  Hence, authentication might fail if the server 
mandates NTLMv2 authentication while the client uses NTLM authentication.

Natalie



Max (Weijun) Wang wrote:
> Hi All
>
> Please take a review on this draft before I send it for CCC:
>
>    http://cr.openjdk.java.net/~weijun/spec/NTLMSASL.0.1
>
> The spec includes a raw NTLM API defined in com.sun.* namespace and describes the newly added SASL mech.
>
> Thanks
> Max
>
>   




More information about the security-dev mailing list