[jcifs] SmbAuthException: Logon Failure: Unknown User Name or Bad Password

Michael B Allen mba2000 at ioplex.com
Mon Dec 13 21:43:31 GMT 2004

Lieber, Samuel said:
> Mike,
> Thanks for your quick response.
> So to clarify:
> (1) These parameters, jcifs.smb.client.{domain,username,password}, are
> each
> specified in the web.xml?


> (2) When you say "Create an account" in other words, is it typical to
> create
> a separate dedicated account to serve the sole purpose of
> preauthentication
> (e.g. Domain: TTSG, User: smbuser)?  And this account has to be a domain
> account, right?


> (3) Does the user in (2) have to have any special privileges (have Admin
> rights, etc.)?

No. The account should have no privledges other than whatever is necessary
to actually authenticate.

> Thanks,
> Sam
> -----Original Message-----
> From: Michael B Allen [mailto:mba2000 at ioplex.com]
> Sent: Monday, December 13, 2004 2:39 PM
> To: Lieber, Samuel
> Cc: jcifs at lists.samba.org
> Subject: Re: [jcifs] SmbAuthException: Logon Failure: Unknown User Name or
> Bad Passwor d
> On Mon, 13 Dec 2004 12:14:04 -0500
> "Lieber, Samuel" <Samuel.Lieber at Artesia.com> wrote:
>> I am trying to use NtlmHttpFilter and have been unsuccessful and I am
>> totally stumped.
>> Followed the directions exactly on
>> http://jcifs.samba.org/src/docs/ntlmhttpauth.html
>> <http://jcifs.samba.org/src/docs/ntlmhttpauth.html>  and am using the
>> NtlmHttpFilter verbatim.  Using jCIFS 1.1.4.  Running Tomcat 4.1.30 on
>> Windows XP. My problem occurs when authenticating a client (trying to
>> connect through IE 6.0).  When I do, I get a SmbAuthException saying
>> "Logon Failure: Unknown User Name or Bad Password".  I can confirm
>> that my filter is being executed and I certainly see the 3-handshaking
>> taking place.  When I examine the NtlmAuthentication object (via
>> debugging my filter), the domain and user are correct (the password is
>> null, I assume this is ok). I downloaded ethereal and did a network
>> capture as well, below is a snippet.  What is interesting is that the
>> account being accessed is GUEST?
> The server is negotiating SMB signing which requires real credentials to
> generate a MAC key. Meaning you need to provide
> jcifs.smb.client.{domain,username,password} of some account to do
> "pre-authentication". Think of this like a workstation account. Create an
> account with a long random password.
> I know it sucks that you have to have creds in the properties file but for
> now that's the way we're doing it. Windows does the same thing with the
> workstation account. It's just autogenerated when the machine first joins
> the domain and you can't access the password so easily.
> Mike
> --
> Greedo shoots first? Not in my Star Wars.

More information about the jcifs mailing list