[jcifs] SmbAuthException: Logon Failure: Unknown User Name or Bad Password

Lieber, Samuel Samuel.Lieber at Artesia.com
Mon Dec 13 19:55:09 GMT 2004


Thanks for your quick response.

So to clarify:

(1) These parameters, jcifs.smb.client.{domain,username,password}, are each
specified in the web.xml?  If not, where?
(2) When you say "Create an account" in other words, is it typical to create
a separate dedicated account to serve the sole purpose of preauthentication
(e.g. Domain: TTSG, User: smbuser)?  And this account has to be a domain
account, right?
(3) Does the user in (2) have to have any special privileges (have Admin
rights, etc.)?


-----Original Message-----
From: Michael B Allen [mailto:mba2000 at ioplex.com] 
Sent: Monday, December 13, 2004 2:39 PM
To: Lieber, Samuel
Cc: jcifs at lists.samba.org
Subject: Re: [jcifs] SmbAuthException: Logon Failure: Unknown User Name or
Bad Passwor d

On Mon, 13 Dec 2004 12:14:04 -0500
"Lieber, Samuel" <Samuel.Lieber at Artesia.com> wrote:

> I am trying to use NtlmHttpFilter and have been unsuccessful and I am 
> totally stumped.
> Followed the directions exactly on 
> http://jcifs.samba.org/src/docs/ntlmhttpauth.html
> <http://jcifs.samba.org/src/docs/ntlmhttpauth.html>  and am using the 
> NtlmHttpFilter verbatim.  Using jCIFS 1.1.4.  Running Tomcat 4.1.30 on 
> Windows XP. My problem occurs when authenticating a client (trying to 
> connect through IE 6.0).  When I do, I get a SmbAuthException saying 
> "Logon Failure: Unknown User Name or Bad Password".  I can confirm 
> that my filter is being executed and I certainly see the 3-handshaking 
> taking place.  When I examine the NtlmAuthentication object (via 
> debugging my filter), the domain and user are correct (the password is 
> null, I assume this is ok). I downloaded ethereal and did a network 
> capture as well, below is a snippet.  What is interesting is that the 
> account being accessed is GUEST?

The server is negotiating SMB signing which requires real credentials to
generate a MAC key. Meaning you need to provide
jcifs.smb.client.{domain,username,password} of some account to do
"pre-authentication". Think of this like a workstation account. Create an
account with a long random password.

I know it sucks that you have to have creds in the properties file but for
now that's the way we're doing it. Windows does the same thing with the
workstation account. It's just autogenerated when the machine first joins
the domain and you can't access the password so easily.


Greedo shoots first? Not in my Star Wars.

More information about the jcifs mailing list