[jcifs] jcifs-0.9.5 timeout on the Windows 2003 domain controller

Eric Glass eric.glass at gmail.com
Thu Jul 22 00:20:39 GMT 2004

1)  I see the confusion.  "http.auth.ntlm.domain" (not
"jcifs.http.auth.ntlm.domain") is used for client-side HTTP
connections.  This is used to connect to an NTLM protected site from
an application, using something like:

    URL url = new URL("http://server/dir/file.txt");

Sun's JDK on Windows can connect to NTLM servers; jCIFS allows other
platforms to do the same.  The "http.auth.ntlm.domain" parameter is
used by Sun, so we use it as well for compatibility.  This client-side
functionality is unrelated to the server-side filter functionality,

2)  Windows 2003 servers use SMB signing by default.  Try specifying
the "jcifs.smb.client.domain", "jcifs.smb.client.username", and
"jcifs.smb.client.password" parameters, i.e.:


The filter will connect with the domain controller for MYDOMAIN using
this password to set up signing (which requires knowledge of an
account password).  Subsequent authentications can use this
preauthenticated connection, which should eliminate the errors you are
getting.  You can specify any valid account credentials.

3)  If you don't specify a domain controller (using
"jcifs.http.domainController") or a domain (using
"jcifs.smb.client.domain") it will find the local host (i.e. the
servlet container).  That server will have its own connection to a
domain controller somewhere (doesn't really matter where in most

The preferred method is to specify "jcifs.smb.client.domain" (giving a
domain name) and "jcifs.netbios.wins" (which specifies the address of
a WINS server for name resolution).  This allows jCIFS to load balance
between multiple domain controllers on the back end (it will find the
available domain controllers for the domain you specify).  Note that
since your controllers are Windows 2003, you may need to specify a
username and password as mentioned above to set up the domain
controller connections.  So you'd probably be pretty well off with
something like:


If you don't know your WINS server address, you can do "ipconfig /all"
under a Windows command prompt; one or more will typically be listed
in the output.

Alternatively, you should also be able to continue connecting to the
local box (your application server).  It's a bit strange that you're
seeing intermittent issues doing so; you might try specifying it's IP
address explicitly (using "jcifs.http.domainController" =
appServerIPAddress).  The advantage to this would be that you can be
relatively certain the SMB server will be up and running (since it's
on the same box as the application server).


----- Original Message -----
From: John Jih <john.jih at halliburton.com>
Date: Wed, 21 Jul 2004 15:46:21 -0500
Subject: RE: [jcifs] jcifs-0.9.5 timeout on the Windows 2003 domain controller
To: Eric Glass <eric.glass at gmail.com>
Cc: jCIFS Mailing List <jcifs at lists.samba.org>



1. Please visit this site to see the documentation of the



2. No matter I use 'jcifs.http.domainController' or 'jcifs.smb.client.domain',
if it is for windows 2003 Domain Controller, I got the following authentication
prompt, it does not happen on windows 2000 DC. Even typing in correct password,
it still not let me in.



3. You were right on the web.xml file, if I clean-up all the <init-param>,
it allows me to visit the page. Would you explain how it can be done? Does it
use the Web application server to authenticate the user? but from which Domain



John Jih


-----Original Message-----

From: Eric Glass [mailto:eric.glass at gmail.com] 

Sent: Wednesday, July 21, 2004 12:32 PM

To: John Jih

Cc: jCIFS Mailing List

Subject: Re: [jcifs] jcifs-0.9.5 timeout on the Windows 2003 domain controller


> 1. We used jcifs.http.domainController (with jcifs-0.7.14 or 0.9.1

> beyond)on win2000 DC before, until all our DC will be upgraded to

> win2003, this parameter caused the ID and Password prompt, after

> tries, it gives us the blank web page. We tried on jcifs-0.8.2, it

> actually worked for us without the ID, Password prompt.



Sending a packet trace to either Mike or myself would help in

troubleshooting this.


> 2. The "jcifs.http.auth.ntlm.domain" works for
jcifs-0.9.1 and beyond at

> least, but the only problem is we got 1 to 4 timeouts a day or no

> timeout for several days for win2003 DC. That is higher frequency

> using win2000 DC, we suspect the network traffic or DC overload or

> helpdesk support messed with the DC at that time.



"jcifs.http.auth.ntlm.domain" isn't a valid jCIFS parameter;
it is

meaningless.  You would get the same result removing it

jCIFS will end up using the local netbios name you've defined using

the "jcifs.netbios.hostname" parameter.  In your
example, this is

"MY_DEV_9009"; that's the box that will end up being used as
the DC.



More information about the jcifs mailing list