Thanks again Howard for your knowledge on this... we are working towards disabling NTLMv1/v2 on our CAS box but have not found the right group policy/settings can you supply those or maybe where we should be looking for them?
Chris Whittle SWAT Team Developer J.B. Hunt Transport Services, Inc. Office Phone:(479) 419-3122 Ext:73122 Fax Phone:(479) 820-1769 chris_whit...@jbhunt.com What's your next move?TM Intermodal | Dedicated | Truckload | LTL | Delivery | Refrigerated | Flatbed | Expedited Howard Gilbert <howard.gilb...@yale.edu> 07/22/2010 12:14 PM Please respond to cas-dev@lists.jasig.org To cas-dev@lists.jasig.org cc Subject RE: [cas-dev] IE8 Outside the domain and Spegno You are right that NTLMv2 will never "work" with CAS, but that doesn't prevent it from trying and messing things up. There are two kinds of NTLM authentications: Domain and Workgroup. If the client machine is outside the Domain, it cannot generate a Domain authentication. However, if I have locally logged into my machine as "gilbert" (i.e. CLIENTMACHINE\gilbert) then I can access files on another server on the network on which I have a local account (SERVERMACHINE\gilbert) with the same userid and password. This access uses NTLM(v2) between the client and the server and does not require me to present any additional credentials. Now things get technically fuzzy, but the results are clear to the end user. Whenever a non-domain connected machine accesses a resource on a domain connected server, and the initial Workstation authentication doesn't permit it, the system typically pops up a dialog box that asks for alternate credentials on the machine or on the domain to which it is connected. I do not know the underlying protocol, but believe that the password is not transmitted over the network. This may involve SMBs and NTLMv2, but is not technically a man in the middle because it is the SERVERMACINE that is logging in as you, not the CLIENTMACHINE. Although the previous discussion addresses SMB requests, GSSAPI uses whatever authentication mechanisms exist on the local machine at the OS level, and SPNEGO uses GSSAPI. Now in a real Domain situation the Kerberos 5 protocol will succeed and you never get to NTLM. I think we are all in agreement that NTLM doesn't add anything to what we really want to do in CAS. However, GSSAPI doesn't know this and there doesn't appear to be any way to tell it except to disable all NTLM on the machine from all authentications of every sort. So knowing only that you want authentication, and having skipped or failed Kerberos 5, the Windows GSSAPI looks for another authentication protocol plugged into the OS and, ignorant of Java or CAS, finds that NTLMv2 is available, and if both the client and the server machine understand the protocol GSSAPI tries to use it. One implied consequence of this is that if you enable SPNEGO and if CAS were not careful to check the type of Principal object returned, you might authenticate users defined in the CAS local SAM database as if they were domain userids. If SPNEGO/GSSAPI simply tried to use any CLIENTMACHINE\userid +password and compared it to CASMACHINE\userid + samepassword and silently failed, we probably would not know and would not care. Instead, it seems to trigger automatically the popup prompt for you to enter your domain userid and password to the browser just as happens when you use a non-domain client to access a domain connected file server. That is what produces the unacceptable end user behavior. To recap: I am logged on to CLIENTMACHINE\gilbert and try to authenticate to CASMACHINE. NTLM(v2) could authenticate me to a CASMACHINE\gilbert account if I have the same userid and password on both CLIENTMACHINE and CASMACHINE, and it will do this non-interactively, and this behavior will percolate up through GSSAPI and then up through SPNEGO. However, no Windows machine will ever automagically and non-interactively authenticate CLIENTMACHINE\gilbert as DOMAIN\gilbert even if I happen to have the same userid and password on my non-domain machine that I have in the domain. That always requires reentering the userid and password because domain credentials are different from local machine credentials. However, since every machine has a local account database, and since GSSAPI doesn't know anything about Java or CAS or what we want or are trying to do, NTLMv2 if it is available will be tried even though it can never do anything we want it to do simply because it is there. If it ever succeeds, it will always have done the wrong thing (authenticate a user to the CASMACHINE database instead of the AD or else prompt for a userid and password). So the solution is to run CAS on a Linux machine that doesn't have it, or disable NTLM (v1+v2) completely on a Windows box that runs CAS assuming you don't need it for anything else on the machine. -----Original Message----- From: matthieu.m...@ensam.eu [mailto:matthieu.m...@ensam.eu] Sent: Thursday, July 22, 2010 11:09 AM To: cas-dev@lists.jasig.org Subject: RE : [cas-dev] IE8 Outside the domain and Spegno When looking at Jcifs NTLM HTTP Authentication page (http://jcifs.samba.org/src/docs/ntlmhttpauth.html), I can see that the HTTP "filter" is using a "man in the middle" technique that cannot support NTLMv2. In fact because the jcifs filter make connection to smb share to the server using ntlm token given by the http client. So they recommend using Jespa instead which properly implements NTLMv2. CAS is using Jcifs for HTTP Authentication. I was unable to make NTLMv2 in CAS, but regardings the jcifs comment, it is not possible to make it working. I do not understand why you let us thinking that NTLMv2 is working with CAS, or maybee I do not understand all what you wrote. -- You are currently subscribed to cas-dev@lists.jasig.org as: chris_whit...@jbhunt.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
<<image/gif>>
