[jcifs] NTLM authentication w/W3K AD

castellj at JWSeligman.com castellj at JWSeligman.com
Wed Aug 10 15:42:56 GMT 2005


We had been using jCIFS 0.7b for NTLM HTTP authentication on a WinNT domain
for quite some time with great success.  Then someone in the networking
group decided to upgrade the domain to Active Directory hosted on Windows
2003.  This broke our app's SSO.  We can still get jCIFS 0.7b to
authenticate to the domain, but not without the dreaded network login box
appearing when IE accesses the site.  One of the problems we ran into was
with SMB signing, so we decided to try upgrading jCIFS to 1.2.1.

After reading the doc, we set every parameter we could think of, especially
those that are involved with "preauthentication", but we're still getting
errors.  So we setup a simple test environment consisting of the following:

Server: WebLogic 6.1 SP7 running on JDK 1.3.1_09 on a Win2000 SP4 box.  The
server is running a single web app, which contains only the
jcifs.http.NtlmHttpFilter servlet filter.  The jCIFS 1.2.1 classes are in
the WEB-INF/lib directory, and the jCIFS properties are only in the web.xml
descriptor for the web app. The web.xml is attached.
 <<web.xml>> 
Client:  MSIE 6.0.2800.1106 running on the same machine as the server

Domain:  Active Directory on Windows 2003 running in mixed mode (a single
NT4 BDC still exists at a west coast office)

Here's the stderr from the web server immediately after restart and after a
single attempt to access the default web app on the server:

#JCIFS PROPERTIES	
#Tue Aug 09 16:55:46 EDT 2005	
jmx.specification.vendor=Sun Microsystems	
java.runtime.name=Java(TM) 2 Runtime Environment, Standard Edition	
java.protocol.handler.pkgs=weblogic.utils|weblogic.utils|weblogic.net|weblog
ic.management	
sun.boot.library.path=C\:\\usr\\local\\bea\\jdk131\\jre\\bin	
java.vm.version=1.3.1_09-b03	
java.vm.vendor=Sun Microsystems Inc.	
java.vendor.url=http\://java.sun.com/	
path.separator=;	
java.vm.name=Java HotSpot(TM) Client VM	
file.encoding.pkg=sun.io	
weblogic.RootDirectory=/usr/local/bea/wlserver6.1	
java.vm.specification.name=Java Virtual Machine Specification	
user.dir=C\:\\usr\\local\\bea\\wlserver6.1	
org.xml.sax.driver=weblogic.apache.xerces.parsers.SAXParser	
weblogic.management.server=castelljdt2\:7011	
java.runtime.version=1.3.1_09-b03	
java.awt.graphicsenv=sun.awt.Win32GraphicsEnvironment	
javax.rmi.CORBA.UtilClass=weblogic.iiop.UtilDelegateImpl	
os.arch=x86	
java.io.tmpdir=C\:\\Temp\\	
line.separator=\r\n	
java.vm.specification.vendor=Sun Microsystems Inc.	
weblogic.Name=JWSNet001	
java.awt.fonts=	
java.naming.factory.url.pkgs=weblogic.jndi.factories	
os.name=Windows 2000	
log4j.configuration=file\:/usr/jws/jwsnet/cfg/log4j.xml	
java.library.path=C\:\\usr\\local\\bea\\jdk131\\bin;.;C\:\\WINNT\\system32;C
\:\\WINNT;C\:\\usr\\local\\bea\\jdk131\\bin;.\\bin;C\:\\Program
Files\\Actuate8\\ClntIntTech\\ActiveX Control\\bin;C\:\\Program Files\\MKS
Toolkit\\mksnt;C\:\\Perl\\bin\\;C\:\\PROGRA~1\\MKSTOO~1\\bin;C\:\\PROGRA~1\\
MKSTOO~1\\bin\\X11;C\:\\PROGRA~1\\MKSTOO~1\\mksnt;C\:\\WINNT\\system32;C\:\\
WINNT;C\:\\WINNT\\System32\\Wbem;C\:\\Sybase\\DLL;C\:\\Sybase\\BIN;C\:\\Prog
ram Files\\Hummingbird\\Connectivity\\9.00\\Accessories\\;C\:\\Program
Files\\cvsnt;C\:\\Program Files\\Microsoft SQL
Server\\80\\Tools\\Binn\\;C\:\\Program Files\\Microsoft Visual
Studio\\Common\\Tools\\WinNT;C\:\\Program Files\\Microsoft Visual
Studio\\Common\\MSDev98\\Bin;C\:\\Program Files\\Microsoft Visual
Studio\\Common\\Tools;C\:\\Program Files\\Microsoft Visual
Studio\\VC98\\bin;C\:\\utils;C\:\\Borland\\BCC55\\bin;C\:\\Program
Files\\CVSNT\\;C\:\\SYBASE\\DLL;	
weblogic.security.jaas.Policy=/usr/local/bea/wlserver6.1\\lib\\Server.policy

jmx.implementation.version=1.0	
java.specification.name=Java Platform API Specification	
java.class.version=47.0	
os.version=5.0	
user.home=C\:\\Documents and Settings\\castellj	
user.timezone=America/New_York	
java.security.policy=\=/usr/local/bea/wlserver6.1/lib/weblogic.policy	
javax.rmi.CORBA.PortableRemoteObjectClass=weblogic.iiop.PortableRemoteObject
DelegateImpl	
java.awt.printerjob=sun.awt.windows.WPrinterJob	
java.specification.version=1.3	
file.encoding=Cp1252	
bea.home=/usr/local/bea	
weblogic.Domain=JWS	
jcifs.util.loglevel=3	
user.name=castellj	
java.class.path=/usr/jws/jwsnet/lib/xerces.jar;/usr/jws/jwsnet/lib/log4j-1.2
.6.jar;/usr/local/bea/wlserver6.1/lib/CR196879_61sp7.jar;/sybase/jConnect-5_
5/classes/jconn2.jar;/usr/local/bea/wlserver6.1/lib/weblogic_sp.jar;/usr/loc
al/bea/wlserver6.1/lib/weblogic.jar;/usr/jws/jwsnet/lib/msutil.jar;/usr/jws/
jwsnet/lib/mssqlserver.jar;/usr/jws/jwsnet/lib/msbase.jar;/usr/jws/jwsnet/JW
SNetServer.jar;/usr/jws/jwsnet/lib/commons-logging-1.0.jar;/usr/jws/jwsnet/l
ib/poi-2.5-final-20040302.jar;/usr/local/bea/wlserver6.1/config/JWS/applicat
ions/JWSWL61Common.jar;/usr/jws/jwsnet/lib/velocity-1.4.jar;/usr/jws/jwsnet/
lib/commons-collections-3.1.jar	
java.naming.factory.initial=weblogic.jndi.WLInitialContextFactory	
java.vm.specification.version=1.0	
java.home=C\:\\usr\\local\\bea\\jdk131\\jre	
jmx.specification.name=Java Management Extensions	
java.specification.vendor=Sun Microsystems Inc.	
user.language=en	
awt.toolkit=sun.awt.windows.WToolkit	
jmx.implementation.name=JMX RI	
java.vm.info=interpreted mode	
java.version=1.3.1_09	
java.ext.dirs=C\:\\usr\\local\\bea\\jdk131\\jre\\lib\\ext	
sun.boot.class.path=C\:\\usr\\local\\bea\\jdk131\\jre\\lib\\rt.jar;C\:\\usr\
\local\\bea\\jdk131\\jre\\lib\\i18n.jar;C\:\\usr\\local\\bea\\jdk131\\jre\\l
ib\\sunrsasign.jar;C\:\\usr\\local\\bea\\jdk131\\jre\\classes	
java.vendor=Sun Microsystems Inc.	
weblogic.security.jaas.Configuration=weblogic.security.internal.ServerConfig

file.separator=\\	
java.vendor.url.bug=http\://java.sun.com/cgi-bin/bugreport.cgi	
sun.cpu.endian=little	
sun.io.unicode.encoding=UnicodeLittle	
jmx.implementation.vendor=Sun Microsystems	
weblogic.system.passwordfile=C\:\\usr\\local\\bea\\wlserver6.1\\NodeManagerL
ogs\\NodeManagerInternal\\bootFile_JWS_JWSNet001	
weblogic.system.NodeManagerBoot=true	
user.region=US	
jmx.specification.version=1.0 Final Release	
sun.cpu.isalist=pentium i486 i386	
#JCIFS PROPERTIES	
#Tue Aug 09 16:55:46 EDT 2005	
java.vendor=Sun Microsystems Inc.	
jcifs.smb.lmCompatibility=3	
weblogic.system.NodeManagerBoot=true	
jcifs.netbios.cachePolicy=1200	
os.name=Windows 2000	
sun.boot.class.path=C\:\\usr\\local\\bea\\jdk131\\jre\\lib\\rt.jar;C\:\\usr\
\local\\bea\\jdk131\\jre\\lib\\i18n.jar;C\:\\usr\\local\\bea\\jdk131\\jre\\l
ib\\sunrsasign.jar;C\:\\usr\\local\\bea\\jdk131\\jre\\classes	
jcifs.smb.client.laddr=10.112.1.54	
java.vm.specification.vendor=Sun Microsystems Inc.	
java.runtime.version=1.3.1_09-b03	
weblogic.Name=JWSNet001	
jmx.implementation.vendor=Sun Microsystems	
user.name=castellj	
log4j.configuration=file\:/usr/jws/jwsnet/cfg/log4j.xml	
weblogic.RootDirectory=/usr/local/bea/wlserver6.1	
jcifs.smb.client.domain=JWSNET	
bea.home=/usr/local/bea	
jcifs.smb.client.signingPreferred=false	
jmx.implementation.name=JMX RI	
user.language=en	
java.naming.factory.initial=weblogic.jndi.WLInitialContextFactory	
sun.boot.library.path=C\:\\usr\\local\\bea\\jdk131\\jre\\bin	
jcifs.netbios.wins=192.250.168.53,192.250.168.54	
jmx.specification.name=Java Management Extensions	
java.version=1.3.1_09	
user.timezone=America/New_York	
javax.rmi.CORBA.UtilClass=weblogic.iiop.UtilDelegateImpl	
jmx.specification.version=1.0 Final Release	
jcifs.http.domainController=192.250.168.44	
sun.cpu.isalist=pentium i486 i386	
jmx.implementation.version=1.0	
file.encoding.pkg=sun.io	
file.separator=\\	
java.specification.name=Java Platform API Specification	
java.class.version=47.0	
java.home=C\:\\usr\\local\\bea\\jdk131\\jre	
java.vm.info=interpreted mode	
os.version=5.0	
weblogic.system.passwordfile=C\:\\usr\\local\\bea\\wlserver6.1\\NodeManagerL
ogs\\NodeManagerInternal\\bootFile_JWS_JWSNet001	
jcifs.smb.client.soTimeout=300000	
jcifs.smb.client.password=seligman5	
java.awt.fonts=	
path.separator=;	
java.vm.version=1.3.1_09-b03	
weblogic.security.jaas.Configuration=weblogic.security.internal.ServerConfig

java.protocol.handler.pkgs=weblogic.utils|weblogic.utils|weblogic.net|weblog
ic.management	
jmx.specification.vendor=Sun Microsystems	
jcifs.smb.client.username=jwsintranet	
java.awt.printerjob=sun.awt.windows.WPrinterJob	
java.security.policy=\=/usr/local/bea/wlserver6.1/lib/weblogic.policy	
sun.io.unicode.encoding=UnicodeLittle	
awt.toolkit=sun.awt.windows.WToolkit	
jcifs.util.loglevel=3	
java.naming.factory.url.pkgs=weblogic.jndi.factories	
user.home=C\:\\Documents and Settings\\castellj	
weblogic.management.server=castelljdt2\:7011	
java.specification.vendor=Sun Microsystems Inc.	
org.xml.sax.driver=weblogic.apache.xerces.parsers.SAXParser	
java.library.path=C\:\\usr\\local\\bea\\jdk131\\bin;.;C\:\\WINNT\\system32;C
\:\\WINNT;C\:\\usr\\local\\bea\\jdk131\\bin;.\\bin;C\:\\Program
Files\\Actuate8\\ClntIntTech\\ActiveX Control\\bin;C\:\\Program Files\\MKS
Toolkit\\mksnt;C\:\\Perl\\bin\\;C\:\\PROGRA~1\\MKSTOO~1\\bin;C\:\\PROGRA~1\\
MKSTOO~1\\bin\\X11;C\:\\PROGRA~1\\MKSTOO~1\\mksnt;C\:\\WINNT\\system32;C\:\\
WINNT;C\:\\WINNT\\System32\\Wbem;C\:\\Sybase\\DLL;C\:\\Sybase\\BIN;C\:\\Prog
ram Files\\Hummingbird\\Connectivity\\9.00\\Accessories\\;C\:\\Program
Files\\cvsnt;C\:\\Program Files\\Microsoft SQL
Server\\80\\Tools\\Binn\\;C\:\\Program Files\\Microsoft Visual
Studio\\Common\\Tools\\WinNT;C\:\\Program Files\\Microsoft Visual
Studio\\Common\\MSDev98\\Bin;C\:\\Program Files\\Microsoft Visual
Studio\\Common\\Tools;C\:\\Program Files\\Microsoft Visual
Studio\\VC98\\bin;C\:\\utils;C\:\\Borland\\BCC55\\bin;C\:\\Program
Files\\CVSNT\\;C\:\\SYBASE\\DLL;	
java.vendor.url=http\://java.sun.com/	
java.vm.vendor=Sun Microsystems Inc.	
java.runtime.name=Java(TM) 2 Runtime Environment, Standard Edition	
java.class.path=/usr/jws/jwsnet/lib/xerces.jar;/usr/jws/jwsnet/lib/log4j-1.2
.6.jar;/usr/local/bea/wlserver6.1/lib/CR196879_61sp7.jar;/sybase/jConnect-5_
5/classes/jconn2.jar;/usr/local/bea/wlserver6.1/lib/weblogic_sp.jar;/usr/loc
al/bea/wlserver6.1/lib/weblogic.jar;/usr/jws/jwsnet/lib/msutil.jar;/usr/jws/
jwsnet/lib/mssqlserver.jar;/usr/jws/jwsnet/lib/msbase.jar;/usr/jws/jwsnet/JW
SNetServer.jar;/usr/jws/jwsnet/lib/commons-logging-1.0.jar;/usr/jws/jwsnet/l
ib/poi-2.5-final-20040302.jar;/usr/local/bea/wlserver6.1/config/JWS/applicat
ions/JWSWL61Common.jar;/usr/jws/jwsnet/lib/velocity-1.4.jar;/usr/jws/jwsnet/
lib/commons-collections-3.1.jar	
weblogic.Domain=JWS	
jcifs.netbios.hostname=CASTELLJDT2	
java.vm.specification.name=Java Virtual Machine Specification	
java.vm.specification.version=1.0	
javax.rmi.CORBA.PortableRemoteObjectClass=weblogic.iiop.PortableRemoteObject
DelegateImpl	
sun.cpu.endian=little	
java.io.tmpdir=C\:\\Temp\\	
java.vendor.url.bug=http\://java.sun.com/cgi-bin/bugreport.cgi	
os.arch=x86	
java.awt.graphicsenv=sun.awt.Win32GraphicsEnvironment	
java.ext.dirs=C\:\\usr\\local\\bea\\jdk131\\jre\\lib\\ext	
weblogic.security.jaas.Policy=/usr/local/bea/wlserver6.1\\lib\\Server.policy

user.dir=C\:\\usr\\local\\bea\\wlserver6.1	
line.separator=\r\n	
java.vm.name=Java HotSpot(TM) Client VM	
user.region=US	
file.encoding=Cp1252	
java.specification.version=1.3	
Attempting to negotiate with DC at 192.250.168.44:445...	
New data read: Transport1[0.0.0.0<00>/192.250.168.44:445]	
00000: FF 53 4D 42 72 00 00 00 00 98 03 C0 00 00 00 00 |ÿSMBr......À....|

00010: 00 00 00 00 00 00 00 00 00 00 07 51 00 00 01 00 |...........Q....|

	
byteCount=40 but readBytesWireFormat returned 20	
treeConnect: unc=\\NTAWS115\IPC$,service=?????	
treeConnect: unc=\\NTAWS115\IPC$,service=?????	
New data read: Transport1[NTAWS115<00>/192.250.168.44:445]	
00000: FF 53 4D 42 73 00 00 00 00 98 07 C0 00 00 63 E5 |ÿSMBs......À..cå|

00010: 2F 93 E6 14 E5 22 00 00 02 58 07 51 02 A8 02 00 |/.æ.å"...X.Q.¨..|

	
New data read: Transport1[NTAWS115<00>/192.250.168.44:445]	
00000: FF 53 4D 42 73 22 00 00 C0 98 07 C0 00 00 2F 58 |ÿSMBs"..À..À../X|

00010: C9 FB CB C4 DE A5 00 00 00 00 07 51 00 00 03 00 |ÉûËÄÞ¥.....Q....|

	
signature verification failure	
00000: 5D 97 67 FE 2D A0 0D 06 |].gþ- .. |	
	
00000: 2F 58 C9 FB CB C4 DE A5 |/XÉûËÄÞ¥ |	
	
NtlmHttpFilter: JWSNET\castellj: 0xC0000022: jcifs.smb.SmbAuthException:
Access is denied.	
java.io.InterruptedIOException: Receive timed out	
at java.net.PlainDatagramSocketImpl.receive(Native Method)	
at java.net.DatagramSocket.receive(DatagramSocket.java:387)	
at jcifs.netbios.NameServiceClient.run(NameServiceClient.java:184)	
at java.lang.Thread.run(Thread.java:479)	
treeConnect: unc=\\NTAWS115\IPC$,service=?????	
New data read: Transport1[NTAWS115<00>/192.250.168.44:445]	
00000: FF 53 4D 42 73 22 00 00 C0 98 07 C0 00 00 52 82 |ÿSMBs"..À..À..R.|

00010: 93 A7 FA FD 16 85 00 00 00 00 07 51 00 00 04 00 |.§úý.......Q....|

	
signature verification failure	
00000: 8D 70 8C 6F A2 F1 C2 0F |.p.o¢ñÂ. |	
	
00000: 52 82 93 A7 FA FD 16 85 |R..§úý.. |	
	
NtlmHttpFilter: JWSNET\castellj: 0xC0000022: jcifs.smb.SmbAuthException:
Access is denied.	
treeConnect: unc=\\NTAWS115\IPC$,service=?????	
New data read: Transport1[NTAWS115<00>/192.250.168.44:445]	
00000: FF 53 4D 42 73 22 00 00 C0 98 07 C0 00 00 38 86 |ÿSMBs"..À..À..8.|

00010: B2 FF 77 1E 01 B9 00 00 00 00 07 51 00 00 05 00 |²ÿw..¹.....Q....|

	
signature verification failure	
00000: 20 E1 12 45 B9 63 D8 30 | á.E¹cØ0 |	
	
00000: 38 86 B2 FF 77 1E 01 B9 |8.²ÿw..¹ |	
	
NtlmHttpFilter: JWSNET\castellj: 0xC0000022: jcifs.smb.SmbAuthException:
Access is denied.	
java.io.InterruptedIOException: Read timed out	
at java.net.SocketInputStream.socketRead(Native Method)	
at java.net.SocketInputStream.read(SocketInputStream.java:85)	
at jcifs.util.transport.Transport.readn(Transport.java:29)	
at jcifs.smb.SmbTransport.peekKey(SmbTransport.java:321)	
at jcifs.util.transport.Transport.loop(Transport.java:89)	
at jcifs.util.transport.Transport.run(Transport.java:229)	
at java.lang.Thread.run(Thread.java:479)	


We have an Ethereal capture for the network traffic at the time the above
messages were generated.  Any and all help greatly appreciated.  So far,
this has been one of the few questions that Google has not been able to
answer.

Thanks,
-jc



"J. & W. Seligman & Co." made the following annotations
___________________________________________________________________
Confidentiality Note: The Information transmitted is intended only for the
person or entity to whom or which it is addressed and may contain
confidential and/or privileged material. Any review, retransmission,
dissemination or other use of this information by persons or entities other
than the intended recipient is prohibited. If you receive this in error,
please delete this material immediately.

Please be advised that someone other than the intended recipients, including
a third-party in the Seligman organization and government agencies, may
review all electronic communications to and from this address.


________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs Email
Security System.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: web.xml
Type: application/octet-stream
Size: 2113 bytes
Desc: not available
Url : http://lists.samba.org/archive/jcifs/attachments/20050810/b8c44680/web.obj


More information about the jcifs mailing list