[jcifs] Why would auth work on one server and not on another?

eglass1 at comcast.net eglass1 at comcast.net
Thu Jul 10 21:37:35 EST 2003

> > >
> > > 1: IE -> request a page from server
> > > 2: Server -> tells IE it needs to Auth using NTLM
> > > 3: IE -> says ok and sends back a blob
> > > 4: Server -> gets glob, does some fancy footwork, tries to send back 
> >blob,
> > > but stupid IE has hung up
> > >

The server is sending

Connection: close

with the Type-2 challenge.  This will cause NTLM negotiation to fail.  Doing a
response.sendError (rather than response.setStatus) can cause this; there may
also be a flaw in either the specification or implementation of the older
Servlet spec that you're using.  If you could post some of the relevant code
(anything dealing with the servlet response) I can take a look at it.

A persistent connection is typically required by clients which implement NTLM
using the Windows SSPI library (including IE and Mozilla).  This is an ease of
implementation issue.  The client has to maintain a handle to an SSPI security
context between function calls; the easiest way to do this is just to keep the
connection open and pass tokens (i.e., the NTLM messages) back and forth.  If
the connection is broken, the client loses track of the security context it was
in the process of establishing.


More information about the jcifs mailing list