https://issues.apache.org/bugzilla/show_bug.cgi?id=46323
--- Comment #3 from Christophe Dupriez <christophe.dupr...@poisoncentre.be> 2010-02-10 05:56:29 UTC --- Basic Authentication is taking control when the user provided by NTLM is not recognized (or the user comes from outside the LAN). As you read: *** There is a Microsoft “specification” (bug?) by which all LDAP binds are evaluated on the Domain Server (like if the user was attempting to login on the Domain Server). It would be better to have binds evaluated as if they were originating from the LDAP client machine (the Tomcat Server). To circumvent this, I have been obliged to remove the binding (the password checking) but to ensure that it is NTLM (and nothing else) which provides the username. *** Somebody who "emulates" (cracks) NTLM can forge its identity: this patch is not securing more a Microsoft network than NTLM protocol (which is phasing out if I understand well). Meanwhile, for many LANs, NTLM protocol remains the only option. The "roles" of the user (memberOf) are fetched from the Active Directory: a user cannot forge its rights. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
