[jcifs] NTLM handshake slow, and interruped after the 3rd GET

Balazs Szuecs balazs.szuecs at wave-solutions.com
Tue Feb 8 12:07:25 GMT 2005 

Hello,

I am new to jCIFS, and I wanted to test the NTLM negotiation with a tomcat 
server. Here's my configuration:

jCIFS 1.1.7
Tomcat 4.1
IE 6.0
Win XP

As I understand it, the NTLM handshake should look like as follows:

REQ#1 (GET)
RESP#1 (401)
REQ#2 (GET)
RESP#2 (401)
REQ#3 (GET)
RESP#3 (200)

I installed and set up jCIFS, and tested with NtlmHttpAuthExample. I'm 
experiencing the following problems:

1) tomcat returns RESP#1 immediately to the browser --> OK
2) the browser appears to wait exactly 60 seconds (!!!) between RESP#1 and 
REQ#2 --> ???
3) tomcat and jcifs talk to the domain controller, and return RESP#2 in no 
time --> OK
4) then again, the browser waits another 60 (!!!!!!!) seconds before 
sending REQ#3, then at once it times out... --> ???
5) there is no response for REQ#3 --> ???
6) there are no exceptions, no errors or warnings in the tomcat log

There seems to be no problem with the communication between jcifs and the 
domain conroller, since jcifs produces the log output below.

Does anyone have an idea, what it could be?
Thank you very much!

best Regards,

Balazs

================

Tue Feb 08 12:11:12 CET 2005: 
LOGON_SHARE=null,LOOKUP_RESP_LIMIT=5,DOMAIN=EDIFACT,USERNAME=null,CACHE_POLICY=1200,dc_list.length=0,dc_list_range=1,dc_list_index=0
NameQueryRequest[nameTrnId=1,isResponse=false,opCode=QUERY,isAuthAnswer=false,isTruncated=false,isRecurAvailable=false,isRecurDesired=true,isBroadcast=false,resultCode=0,questionCount=1,answerCount=0,authorityCount=0,additionalCount=0,questionName=EDIFACT<1C>,questionType=0x0020,questionClass=IN,recordName=null,recordType=0x0000,recordClass=0x0000,ttl=0,rDataLength=0]
00000: 00 01 01 00 00 01 00 00 00 00 00 00 20 45 46 45  |............ EFE|
00010: 45 45 4A 45 47 45 42 45 44 46 45 43 41 43 41 43  |EEJEGEBEDFECACAC|
00020: 41 43 41 43 41 43 41 43 41 43 41 42 4D 00 00 20  |ACACACACACABM.. |
00030: 00 01                                            |..              |

NetBIOS: new data read from socket
NameQueryResponse[nameTrnId=1,isResponse=true,opCode=QUERY,isAuthAnswer=true,isTruncated=false,isRecurAvailable=true,isRecurDesired=true,isBroadcast=false,resultCode=0,questionCount=0,answerCount=1,authorityCount=0,additionalCount=0,questionName=null,questionType=0x0000,questionClass=IN,recordName=EDIFACT<1C>,recordType=0x0020,recordClass=IN,ttl=0,rDataLength=18,addrEntry=[Ljcifs.netbios.NbtAddress;@82d210]
00000: 00 01 85 80 00 00 00 01 00 00 00 00 20 45 46 45  |............ EFE|
00010: 45 45 4A 45 47 45 42 45 44 46 45 43 41 43 41 43  |EEJEGEBEDFECACAC|
00020: 41 43 41 43 41 43 41 43 41 43 41 42 4D 00 00 20  |ACACACACACABM.. |
00030: 00 01 00 00 00 00 00 12 80 00 0A E8 B5 47 80 00  |...........èµG..|
00040: 0A E8 B5 48 80 00 0A E8 B5 48                    |.èµH...èµH      |

Default credentials (jcifs.smb.client.username/password) not specified. 
SMB signing may not work propertly. Skipping DC interrogation.
session established ok with EDIFACT<1C>/10.232.181.71
requesting negotiation with EDIFACT<1C>/10.232.181.71
SmbComNegotiate[command=SMB_COM_NEGOTIATE,received=false,errorCode=The 
operation completed 
successfully.,flags=0x0018,flags2=0xC003,signSeq=0,tid=0,pid=9510,uid=0,mid=1,wordCount=0,byteCount=12,wordCount=0,dialects=NT 
LM 0.12]
00000: 00 00 00 2F FF 53 4D 42 72 00 00 00 00 18 03 C0  |.../ÿSMBr......À|
00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 26 25  |..............&%|
00020: 00 00 01 00 00 0C 00 02 4E 54 20 4C 4D 20 30     |........NT LM 0 |

new data read from socket: EDIFACT<1C>/10.232.181.71
byteCount=42 but readBytesWireFormat returned 22
SmbComNegotiateResponse[command=SMB_COM_NEGOTIATE,received=true,errorCode=The 
operation completed 
successfully.,flags=0x0098,flags2=0xC003,signSeq=0,tid=0,pid=9510,uid=0,mid=1,wordCount=17,byteCount=42,wordCount=17,dialectIndex=0,securityMode=0x7,security=user,encryptedPasswords=true,maxMpxCount=50,maxNumberVcs=1,maxBufferSize=16644,maxRawSize=65536,sessionKey=0x00000000,capabilities=0x0001F3FD,serverTime=Tue 
Feb 08 12:11:07 CET 
2005,serverTimeZone=65476,encryptionKeyLength=8,byteCount=42,encryptionKey=0x0094588E66A18927,oemDomainName=EDIFACT]
00000: FF 53 4D 42 72 00 00 00 00 98 03 C0 00 00 00 00  |ÿSMBr......À....|
00010: 00 00 00 00 00 00 00 00 00 00 26 25 00 00 01 00  |..........&%....|
00020: 11 00 00 07 32 00 01 00 04 41 00 00 00 00 01 00  |....2....A......|
00030: 00 00 00 00 FD F3 01 00 A0 86 47 E3 CE 0D C5 01  |....ýó.. .GãÎ.Å.|
00040: C4 FF 08 2A 00 00 94 58 8E 66 A1 89 27 45 00 44  |Äÿ.*...X.f¡.'E.D|
00050: 00 49 00 46 00 41 00 43 00 54 00 00 00 45 00 44  |.I.F.A.C.T...E.D|
00060: 00 49 00 53 00 52 00 56 00 30 00 31 00 00 00     |.I.S.R.V.0.1... |

close: NbtSocket[addr=EDIFACT<1C>/10.232.181.71,port=139,localport=4546]

================

I also sniffed the http traffic with HTTPLook:

REQ#1

GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, 
application/vnd.ms-excel, application/vnd.ms-powerpoint, 
application/msword, application/x-shockwave-flash, 
application/security-capsule, */*
Accept-Language: de-at
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET 
CLR 1.1.4322)
Host: 127.0.0.1:8080
Connection: Keep-Alive
Cookie: personalisation=lang=de; 
JSESSIONID=EB036F6D6F62F48BFAE21477B28BEAD7.0

RESP#1

HTTP/1.1 401 Unauthorized
Date: Tue, 08 Feb 2005 11:10:11 GMT
Server: Apache Tomcat/4.1.27 (HTTP/1.1 Connector)
WWW-Authenticate: NTLM

REQ#2

GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, 
application/vnd.ms-excel, application/vnd.ms-powerpoint, 
application/msword, application/x-shockwave-flash, 
application/security-capsule, */*
Accept-Language: de-at
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET 
CLR 1.1.4322)
Host: 127.0.0.1:8080
Connection: Keep-Alive
Authorization: NTLM 
TlRMTVNTUAABAAAAB7IIogcABwAxAAAACQAJACgAAAAFASgKAAAAD0VESVdPUksxNkVESUZBQ1R=
Cookie: personalisation=lang=de; 
JSESSIONID=EB036F6D6F62F48BFAE21477B28BEAD7.0

RESP#2

HTTP/1.1 401 Unauthorized
Date: Tue, 08 Feb 2005 11:11:12 GMT
Server: Apache Tomcat/4.1.27 (HTTP/1.1 Connector)
WWW-Authenticate: NTLM 
TlRMTVNTUAACAAAADgAOADAAAAAFAoEAAJRYjmahiScAAAAAAAAAADYANgA+AAAARQBEAEkARgBBAEMAVAACAA4ARQBEAEkARgBBAEMAVAABABwASgBDAEkARgBTADEAOAAyAF8AOAA2AF8AQwAxAAAAAAA=
Set-Cookie: JSESSIONID=AF5593EE1037E26E48F9DD8FEF16A42D.0; Path=/

REQ#3

GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, 
application/vnd.ms-excel, application/vnd.ms-powerpoint, 
application/msword, application/x-shockwave-flash, 
application/security-capsule, */*
Accept-Language: de-at
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET 
CLR 1.1.4322)
Host: 127.0.0.1:8080
Connection: Keep-Alive
Authorization: NTLM 
TlRMTVNTUAADAAAAGAAYAHYAAAAYABgAjgAAAA4ADgBIAAAADgAOAFYAAAASABIAZAAAAAAAAACmAAAABQKAAgUBKAoAAAAPRQBEAEkARgBBAEMAVABuADkAOQAxADIAMgA1AEUARABJAFcATwBSAEsAMQA2AKF6rV9bJga8NCoD+cbLXTa/d3v4VQ9IKLLZZ4cnczACNjRQUxgywPInrWne243JTQ==
Cookie: personalisation=lang=de; 
JSESSIONID=AF5593EE1037E26E48F9DD8FEF16A42D.0

RESP#3 none, browser times out

More information about the jcifs mailing list