NTLM

Owned by Howard Gilbert
Last updated: Mar 17, 2005Version comment
2 min read

Many administrative users and, in some instutions, many students are running on a Windows 2000 or Windows XP machine logged into a Windows Domain.

In Active Directory, this means that they have a Kerberos 5 ticket as their primary method of authentication to the Domain. Unfortunately, the Web doesn't expose a standard method of using that ticket for authentication at the Server end.

However, there was an earlier form of authentication for Windows NT 4 domains, and Microsoft made non-standard extensions in IE to support its use over the Web. It is called NTLM. It is a challenge-response protocol in which the user's password is a shared secret that is not transmitted over the Web. Microsoft extended the "Basic Authentication" family of dialogs to support this type of exchange as an alternative to password in the clear or digest authentication. Mozilla supports the NTLM exchange, but it requires the user to enter a userid and password into the Basic Authentication dialog box. With Mozilla, the only advantage is that the password is not sent in the clear to non-SSL Web sites that use NTLM challenges. However, after the user logs into the domain, Windows retains the password and IE can use it to respond to the challenge without a dialog box.

The SAMBA group has produced a Java JAR file that performs the NTLM challege dialog from a Servlet container. Typically it runs as a Servlet Filter in front of an application. If the remote user can pass the challenge, the userid is stored in the Request block when the CAS Servlet begins processing. Unfortunately, it may be impossible to configure an NTLM to operate only non-interactively. If you put the filter in the path, and the Browser doesn't support NTLM, then the user will see a dialog box.

Therefore, the proposal is to chain to NTLM if the user presses the "Use my existing Windows logon" button on some future CAS logon screen. There may also be an option to vend a cookie making this the default behavior in subsequent CAS logons, which would be appropriate for Yale Administrative users on dedicated personal desktop machines at work.