NTLM身份验证-仅仅是提示(挑战),还是实际进行身份验证?
[英]NTLM Authentication - is it simply a prompt(challenge), or does it actually authenticate?
问题描述
I have a (java) web-application, and i have enabled NTLM Authentication. 
我有一个(java)网络应用程序,并且启用了NTLM身份验证。
When the logon prompt is presented by the browser in our (windows) intranet environment. 当浏览器在我们的(Windows)Intranet环境中显示登录提示时。 The behavior i see is: 我看到的行为是:
NTLM prompt does not seem to be doing any authentication at all, i am able to type any random string in userid prompt and it allows the user to proceed into the application. NTLM提示符似乎根本不执行任何身份验证,我可以在userid提示符中键入任何随机字符串,并且它允许用户继续进入应用程序。 The prompt never fails the user. 提示永远不会使用户失败。
So, what do i need to check at the server end to find if authentication succeeded or not? 因此,我需要在服务器端检查什么以确认身份验证是否成功?
2 个解决方案
解决方案1
1 已采纳 2012-08-07 05:07:43
The idea behind NTLM auth is that the logged on user can proceed with connection without explicitly entering his username and password again. NTLM身份验证背后的想法是,登录的用户可以继续进行连接,而无需再次明确输入其用户名和密码。 So whatever your application asks you is irrelevant (as you can see it yourself) and instead your system credentials are used. 因此,无论您的应用程序要求什么,都不相关(您自己可以看到),而是使用系统凭据。
解决方案2
0 2012-08-08 17:26:46
NTLM authentication has been broken for a number of years -- NTLM 2 shipped with NT 4, so hopefully people have moved on by now. NTLM身份验证已经被破坏了很多年-NT 4附带了NTLM 2,因此希望人们现在可以继续前进。 If you want to use Active Directory login information, you should use Kerberos instead. 如果要使用Active Directory登录信息,则应改用Kerberos。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.