Chat now with support
Chat with Support

Single Sign-On for Java 3.3.2 - Administration Guide

About this guide Introducing Single Sign-on for Java Preparing for Single Sign-on for Java Deploying Single Sign-on for Java
Getting started with Single Sign-on for Java Single Sign-on for Java and your web applications Setting up logging Controlling access to resources
Security Issues Maintenance and Troubleshooting Appendix: Configuration Parameters Appendix: Using the JKTools


Single Sign-on for Java provides an auditing capacity with several different levels allowing effective diagnosis and recovery for security events. Setting up logging describes how to enable this logging facility.

We recommend that the logging level be set to WARN, which covers security sensitive events such as bad logins. If there is sufficient capacity and a low risk of a DoS attack on your logging system, you will also find INFO to be useful, as this logs information about successful requests.

The audit logs contain the date, source IP, URL being accessed and, if appropriate, the MD5 hash of the session ID to allow effective correlation of events.

NTLM authentication

Single Sign-on for Java provides support for the NTLM authentication mechanism when SPNEGO authentication is unavailable. This is of particular use for operating system / browser combinations that do not support SPNEGO (for example, Microsoft Windows 98 and Windows NT).

What is NTLM

NT LanManager (NTLM) is a Microsoft proprietary authentication mechanism that is integrated into all of the Windows NT family of products.

Like its predecessor, LanManager, NTLM uses a challenge-response process (sometimes referred to as NTCR) to prove client identity, without ever requiring a password or even a hashed password to be sent across the network. It does this using a three-pass process consisting of:

  1. Negotiation: Send a list of security features supported by the client.
  2. Challenge: Send back a list of security features agreed upon by the server, as well as a challenge that only the client would know.
  3. Authentication: Respond to the server's challenge, and also send the username and domain information for the client.

Different versions of NTLM

Historically, the Microsoft Windows family of products has supported two variants of challenge-response authentication for network logons:

  • LAN Manager (LM) challenge-response
  • Windows NT challenge-response (NTLM version 1)

The LM variant allows interoperability with the installed base of Windows 95, Windows 98, and Windows ME clients and servers. NTLM was designed to provide improved security connections between Windows NT clients and servers. Windows NT also supports the NTLM session security mechanism that provides for message confidentiality (encryption) and integrity (signing).

Recent improvements in computer hardware and software algorithms have made these protocols vulnerable to widely published attacks for obtaining user passwords.

To resolve these problems, Microsoft developed an enhancement, called NTLM version 2, that significantly improved both the authentication and session security mechanisms.

NTLM 2 has been available for Windows NT 4.0 since Service Pack 4 (SP4) was released, and it is supported natively in Windows 2000.

We recommend that you use NTLM v2 whenever NTLM is required for authentication.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating