Single Sign-on for Java provides an auditing capacity with several different levels allowing effective diagnosis and recovery for security events. Setting up logging describes how to enable this logging facility.
We recommend that the logging level be set to WARN, which covers security sensitive events such as bad logins. If there is sufficient capacity and a low risk of a DoS attack on your logging system, you will also find INFO to be useful, as this logs information about successful requests.
The audit logs contain the date, source IP, URL being accessed and, if appropriate, the MD5 hash of the session ID to allow effective correlation of events.
Single Sign-on for Java provides support for the NTLM authentication mechanism when SPNEGO authentication is unavailable. This is of particular use for operating system / browser combinations that do not support SPNEGO (for example, Microsoft Windows 98 and Windows NT).
Like its predecessor, LanManager, NTLM uses a challenge-response process (sometimes referred to as NTCR) to prove client identity, without ever requiring a password or even a hashed password to be sent across the network. It does this using a three-pass process consisting of:
Historically, the Microsoft Windows family of products has supported two variants of challenge-response authentication for network logons:
The LM variant allows interoperability with the installed base of Windows 95, Windows 98, and Windows ME clients and servers. NTLM was designed to provide improved security connections between Windows NT clients and servers. Windows NT also supports the NTLM session security mechanism that provides for message confidentiality (encryption) and integrity (signing).
Recent improvements in computer hardware and software algorithms have made these protocols vulnerable to widely published attacks for obtaining user passwords.
To resolve these problems, Microsoft developed an enhancement, called NTLM version 2, that significantly improved both the authentication and session security mechanisms.
NTLM 2 has been available for Windows NT 4.0 since Service Pack 4 (SP4) was released, and it is supported natively in Windows 2000.
We recommend that you use NTLM v2 whenever NTLM is required for authentication.