Cross-Application User Authentication
- by Chris Lieb
We have a webapp written in .NET that uses NTLM for SSO. We are writing a new webapp in Java that will tightly integrate with the original application. Unfortunately, Java has no support for performing the server portion of NTLM authentication and the only library that I can find requires too much setup to be allowed by IT.
To work around this, I came up with a remote authentication scheme to work across applications and would like your opinions on it. It does not need to be extremely secure, but at the same time not easily be broken.
User is authenticated into .NET application using NTLM
User clicks link that leaves .NET application
.NET application generates random number and stores it in the user table along with the user's full username (domain\username)
Insecure token is formed as random number:username
Insecure token is run through secure cipher (likely AES-256) using pre-shared key stored within the application to produce a secure token
The secure token is passed as part of the query string to the Java application
The Java application decrypts the secure key using the same pre-shared key stored within its own code to get the insecure token
The random number and username are split apart
The username is used to retrieve the user's information from the user table and the stored random number is checked against the one pulled from the insecure token
If the numbers match, the username is put into the session for the user and they are now authenticated
If the numbers do not match, the user is redirected to the .NET application's home page
The random number is removed from the database
