[jcifs] NTLMServlet - again

eglass1 at comcast.net eglass1 at comcast.net
Wed Aug 6 22:39:07 EST 2003 


> My configuration: I am using windows xp and iis 5.1 and tomcat 3.3 for
> development and for production there will be windows nt and iis 4.0 - but I
> do not
> expect that the problems which I encountered are stemming from this.
> 

This is probably the issue -- there was a discussion surrounding IIS w/Tomcat
a couple of weeks ago.  I don't think the final outcome was posted (it was
discussed offline due to possibly sensitive information in packet traces), but
here is a summary:

It appears that IIS will "kidnap" the NTLM requests, preventing all but the
final Type 3 message from even getting to the web app.  The app gets the
Type 3 request(after it has already been authenticated by IIS) and tries to
create an NtlmPasswordAuthentication object and set up the connection.  This
results in a new challenge being generated, which doesn't match up with the
password hashes from the NPA object, and you end up getting an SmbAuthException
(which causes you to get prompted, which starts the whole thing over again).

If you just need NTLM authentication for your servlet, the easiest way is to
use IIS's native NTLM by doing the following:


1)  In the IIS configuration, pull up the properties for the tomcat virtual
directory.  On the "Directory Security" tab, under the access control settings,
disable "Anonymous Access" and enable "Integrated Windows Authentication".

2)  Disable Tomcat authentication.  If you are using the AJP13 connector, this
is done in server.xml:

    <Connector className="org.apache.ajp.tomcat4.Ajp13Connector"
            tomcatAuthentication="false" port="8009" minProcessors="5"
            maxProcessors="75" acceptCount="10" debug="0"/>

If you are using the Coyote JK2 connector, you would edit jk2.properties and
add:

    request.tomcatAuthentication="false"

This tells Tomcat to use the webserver's authentication.

3)  Remove the jCIFS filter from web.xml.  Or in your case, just extend
HttpServlet instead of NtlmHttpServlet.


After doing this, requests should be authenticated natively by IIS; you can
get the username via request.getRemoteUser().


Eric

More information about the jcifs mailing list