[jcifs] Re: NtlmHttpFilter

[Michael B Allen]

Pittur said:
> Well the funny thing is that I get Access denied in only 5% of the time I
> try
> to authenticate. In other cases this works fine and until we updated to
> 2003
> server everything was fine. Another funny thing is that a user can try to
> log
> on at one minute and gets acces denied and then he tries again in 5
> minutes
> and everything works fine.
> This is very frustrating.

I did notice one thing that's probably not related but ... if you set the
jcifs.smb.client.soTimeout very low such that the SMB transport closes
before the user's HTTP session expires the old password hashes can be used
which can will results in Access denied. The jcifs-0.8.0b1 package removes
the old hashes when this happends (but still needs improvement). You might
try that release or increase the soTimeout init parameter to something
really big like an hour. But I doubt that's the problem or we would have
see it reported by now. So far I've heard nothing but reports that its
rock-solid. I think the HTTP session is explicitly closed at some point
which would prevent such a thing from happening anyway. Also it only
happends if you authenticate, then wait 10 minutes with no traffic to keep
the connection open to the DC, and then try to access a page. So you can
eliminate that as a possibility if you can open a new browser and get
Acces denied. I just ran across all of this because I was deliberately
trying to create extreem conditions but in theory I think it's possible it
can happen in the wild.

Otherwise, it sounds like it could be just some kind of network problem.
There are lots of things that can messed up your network that most people
don't even realize. Something as trivial has having a NIC in half-duplex
on your network when everyone else is full can cause strange errors. You
could have a bad switch. The list is long.

If you can get packet capture of one of these events I'll have a look-see[1].

Mike

[1] http://jcifs.samba.org/capture.html