JCIFS only does NTLMv1. Our security policies here dictate that only NTLMv2 should be used. JCIFS does NTLMv1 through a man-in-the-middle way of passing the authentication request from the browser to the web server then to the active directory controller then back.
There is documentation about this at: http://jcifs.samba.org/src/docs/ntlmhttpauth.html
One solution is to put IIS in front of GlassFish to handle the Single Sign On.
So I setup an IIS server with the isapi sun-passthrough.dll with integrated security enabled. I pointed it to our development server stand-alone (no cluster, no load balancer, no node agents). Request.getRemoteUser() isn't being populated but I am able to pull the authenticated username by base64 decoding the NTLM type 3 message in request.getHeader("Authorization") that is passed along from IIS.
I don't want to do this in every web application though. So a better solution is needed.
Friday, July 31, 2009
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment