NT security mode (Windows NT Authentication only):
It is related to windows domain. Access will be given to existing domain user account.Using those credentials, user can access the database.Separate account is not created as in other databases.
Mixed mode (Windows NT Authentication and SQL Server Authentication)
In these modes, both domain accounts and database accounts can be used to access the database.
JDBC drivers available for Microsoft SQL Database Server 2000:
1. JTDS Driver
JTDS driver works in both NT security mode and mixed mode.
2. Microsoft SQL Server JDBC Driver
MS SQL server JDBC driver works in mixed mode only.
Connection strings used for NT security mode using JTDS driver:
Ex:
con = java.sql.DriverManager.getConnection(”jdbc:jtds:sqlserver://servernaem or IP address:port no/database name;user=domain username;password=password;domain=Domain name”);
This string works in both windows and non-windows. This is not ntlm authentication method.
or
con = java.sql.DriverManager.getConnection(”jdbc:jtds:sqlserver://servernaem or IP address:port no/database name;”);
This method uses NTLM authentication. So NTLMauth.dll has to be copied to the system path. [ It is available along with JTDS driver. ]
Trouble shooting:
The above errors occur, when you try to access the ms sql database from remote machines or applications.
2. You may be trying to access the database using database account and ms sql server might have been set to NT security mode.
3. User is accessing the database from windows domain account and he has access to it. But still getting error message means, he didn’t implement NTLM method correctly or didn’t give correct credentials. Please check the connection strings given in above section.
For any questions or issues, leave comments here.
]]>
This BOK details how to get a Java-based web-application to negotiate with a IE web client for username and domain information. This is a common requirement for web-based applications especially ones that do not want to bore users with a login page. IE will negotiate a user’s password hashes with the webserver, which checks their authenticity against a windows domain controller. If valid, the user’s username and domain will be accessible to the webserver servlets.
The method HttpServletRequest.getRemoteUser() should return the username of the person using the browser which fired a request to this Servlet.
This method, however works correctly only if the user has been authenticated first by a webserver authentication scheme -
which could be BASIC,DIGEST or CLIENT-CERT. This is the kind of setup the the Apache webserver provides, giving a challenge-response, username-password method of authentication.
What we do here is use a Servlet filter provided as part of the open-source jCIFS package, to get an IE user's username and domain.
This filter will take the trouble of intercepting user requests, asking IE for the user's password hashes,validating them against a windows domain controller and enabling HttpServletRequest.getRemoteUser() to return the windows user id.
Please note this method will not work for non-IE clients, simply because this is a proprietary extension by Microsoft.
For other browsers you will have to rely on BASIC or certificate-based authentication.
First, we need to download a jcifs jar from http://jcifs.samba.org. I have tested this with jcifs version 0.7.14.jCIFS is from the makers of Samba and provides APIs to access Windows shares, networks and the ability to authenticate against a Windows domain controller. Place this jar under WEB-INF/lib of your web application. There is a filter called jcifs.http.NtlmHttpFilter which implements all the wizadry above. You need to register it in your application's web.xml descriptor:
<web-app>
...
<!-- NTLM HTTP Authentication only works with MSIE -->
<filter>
<filter-name>NTLM HTTP Authentication Filter</filter-name>
<filter-class>jcifs.http.NtlmHttpFilter</filter-class>
<!-- CCD will help you with a PDC and WINS server ip at your location. -->
<init-param>
<param-name>jcifs.http.domainController</param-name>
<param-value>192.168.170.5</param-value>
</init-param>
<init-param>
<param-name>jcifs.netbios.wins</param-name>
<param-value>192.168.166.13</param-value>
</init-param>
</filter>
<!-- This is the url under which we need access to the username and domain. -->
<filter-mapping>
<filter-name>NTLM HTTP Authentication Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
...
</web-app>
That's it. Now all IE requests to your webserver urls as specified in the web.xml entries are negotiated so that you can call a HttpServletRequest.getRemoteUser() to get the remote user's username in the form.
DOMAIN\username.
Please note at no point will a password dialog pop up for the user, the password hashes are picked from IE and validated with the domain controller.
Example code for a servlet :
public void doGet( HttpServletRequest req, HttpServletResponse resp ) throws IOException, ServletException
{
PrintWriter out = resp.getWriter();
resp.setContentType( “text/html” );
out.println( “<HTML><HEAD><TITLE>NTLM HTTP Authentication Example</TITLE></HEAD><BODY>” );
out.println( “<h2>NTLM HTTP Authentication Example</h2>” );
out.println( req.getRemoteUser() + ” logged in” );
}
If the filter has not been configured properly, a null will be printed for the above call to req.getRemoteUser().