[jcifs] NTLM authentication w/W3K AD
castellj at JWSeligman.com
castellj at JWSeligman.com
Wed Aug 10 15:42:56 GMT 2005
We had been using jCIFS 0.7b for NTLM HTTP authentication on a WinNT domain
for quite some time with great success. Then someone in the networking
group decided to upgrade the domain to Active Directory hosted on Windows
2003. This broke our app's SSO. We can still get jCIFS 0.7b to
authenticate to the domain, but not without the dreaded network login box
appearing when IE accesses the site. One of the problems we ran into was
with SMB signing, so we decided to try upgrading jCIFS to 1.2.1.
After reading the doc, we set every parameter we could think of, especially
those that are involved with "preauthentication", but we're still getting
errors. So we setup a simple test environment consisting of the following:
Server: WebLogic 6.1 SP7 running on JDK 1.3.1_09 on a Win2000 SP4 box. The
server is running a single web app, which contains only the
jcifs.http.NtlmHttpFilter servlet filter. The jCIFS 1.2.1 classes are in
the WEB-INF/lib directory, and the jCIFS properties are only in the web.xml
descriptor for the web app. The web.xml is attached.
<<web.xml>>
Client: MSIE 6.0.2800.1106 running on the same machine as the server
Domain: Active Directory on Windows 2003 running in mixed mode (a single
NT4 BDC still exists at a west coast office)
Here's the stderr from the web server immediately after restart and after a
single attempt to access the default web app on the server:
#JCIFS PROPERTIES
#Tue Aug 09 16:55:46 EDT 2005
jmx.specification.vendor=Sun Microsystems
java.runtime.name=Java(TM) 2 Runtime Environment, Standard Edition
java.protocol.handler.pkgs=weblogic.utils|weblogic.utils|weblogic.net|weblog
ic.management
sun.boot.library.path=C\:\\usr\\local\\bea\\jdk131\\jre\\bin
java.vm.version=1.3.1_09-b03
java.vm.vendor=Sun Microsystems Inc.
java.vendor.url=http\://java.sun.com/
path.separator=;
java.vm.name=Java HotSpot(TM) Client VM
file.encoding.pkg=sun.io
weblogic.RootDirectory=/usr/local/bea/wlserver6.1
java.vm.specification.name=Java Virtual Machine Specification
user.dir=C\:\\usr\\local\\bea\\wlserver6.1
org.xml.sax.driver=weblogic.apache.xerces.parsers.SAXParser
weblogic.management.server=castelljdt2\:7011
java.runtime.version=1.3.1_09-b03
java.awt.graphicsenv=sun.awt.Win32GraphicsEnvironment
javax.rmi.CORBA.UtilClass=weblogic.iiop.UtilDelegateImpl
os.arch=x86
java.io.tmpdir=C\:\\Temp\\
line.separator=\r\n
java.vm.specification.vendor=Sun Microsystems Inc.
weblogic.Name=JWSNet001
java.awt.fonts=
java.naming.factory.url.pkgs=weblogic.jndi.factories
os.name=Windows 2000
log4j.configuration=file\:/usr/jws/jwsnet/cfg/log4j.xml
java.library.path=C\:\\usr\\local\\bea\\jdk131\\bin;.;C\:\\WINNT\\system32;C
\:\\WINNT;C\:\\usr\\local\\bea\\jdk131\\bin;.\\bin;C\:\\Program
Files\\Actuate8\\ClntIntTech\\ActiveX Control\\bin;C\:\\Program Files\\MKS
Toolkit\\mksnt;C\:\\Perl\\bin\\;C\:\\PROGRA~1\\MKSTOO~1\\bin;C\:\\PROGRA~1\\
MKSTOO~1\\bin\\X11;C\:\\PROGRA~1\\MKSTOO~1\\mksnt;C\:\\WINNT\\system32;C\:\\
WINNT;C\:\\WINNT\\System32\\Wbem;C\:\\Sybase\\DLL;C\:\\Sybase\\BIN;C\:\\Prog
ram Files\\Hummingbird\\Connectivity\\9.00\\Accessories\\;C\:\\Program
Files\\cvsnt;C\:\\Program Files\\Microsoft SQL
Server\\80\\Tools\\Binn\\;C\:\\Program Files\\Microsoft Visual
Studio\\Common\\Tools\\WinNT;C\:\\Program Files\\Microsoft Visual
Studio\\Common\\MSDev98\\Bin;C\:\\Program Files\\Microsoft Visual
Studio\\Common\\Tools;C\:\\Program Files\\Microsoft Visual
Studio\\VC98\\bin;C\:\\utils;C\:\\Borland\\BCC55\\bin;C\:\\Program
Files\\CVSNT\\;C\:\\SYBASE\\DLL;
weblogic.security.jaas.Policy=/usr/local/bea/wlserver6.1\\lib\\Server.policy
jmx.implementation.version=1.0
java.specification.name=Java Platform API Specification
java.class.version=47.0
os.version=5.0
user.home=C\:\\Documents and Settings\\castellj
user.timezone=America/New_York
java.security.policy=\=/usr/local/bea/wlserver6.1/lib/weblogic.policy
javax.rmi.CORBA.PortableRemoteObjectClass=weblogic.iiop.PortableRemoteObject
DelegateImpl
java.awt.printerjob=sun.awt.windows.WPrinterJob
java.specification.version=1.3
file.encoding=Cp1252
bea.home=/usr/local/bea
weblogic.Domain=JWS
jcifs.util.loglevel=3
user.name=castellj
java.class.path=/usr/jws/jwsnet/lib/xerces.jar;/usr/jws/jwsnet/lib/log4j-1.2
.6.jar;/usr/local/bea/wlserver6.1/lib/CR196879_61sp7.jar;/sybase/jConnect-5_
5/classes/jconn2.jar;/usr/local/bea/wlserver6.1/lib/weblogic_sp.jar;/usr/loc
al/bea/wlserver6.1/lib/weblogic.jar;/usr/jws/jwsnet/lib/msutil.jar;/usr/jws/
jwsnet/lib/mssqlserver.jar;/usr/jws/jwsnet/lib/msbase.jar;/usr/jws/jwsnet/JW
SNetServer.jar;/usr/jws/jwsnet/lib/commons-logging-1.0.jar;/usr/jws/jwsnet/l
ib/poi-2.5-final-20040302.jar;/usr/local/bea/wlserver6.1/config/JWS/applicat
ions/JWSWL61Common.jar;/usr/jws/jwsnet/lib/velocity-1.4.jar;/usr/jws/jwsnet/
lib/commons-collections-3.1.jar
java.naming.factory.initial=weblogic.jndi.WLInitialContextFactory
java.vm.specification.version=1.0
java.home=C\:\\usr\\local\\bea\\jdk131\\jre
jmx.specification.name=Java Management Extensions
java.specification.vendor=Sun Microsystems Inc.
user.language=en
awt.toolkit=sun.awt.windows.WToolkit
jmx.implementation.name=JMX RI
java.vm.info=interpreted mode
java.version=1.3.1_09
java.ext.dirs=C\:\\usr\\local\\bea\\jdk131\\jre\\lib\\ext
sun.boot.class.path=C\:\\usr\\local\\bea\\jdk131\\jre\\lib\\rt.jar;C\:\\usr\
\local\\bea\\jdk131\\jre\\lib\\i18n.jar;C\:\\usr\\local\\bea\\jdk131\\jre\\l
ib\\sunrsasign.jar;C\:\\usr\\local\\bea\\jdk131\\jre\\classes
java.vendor=Sun Microsystems Inc.
weblogic.security.jaas.Configuration=weblogic.security.internal.ServerConfig
file.separator=\\
java.vendor.url.bug=http\://java.sun.com/cgi-bin/bugreport.cgi
sun.cpu.endian=little
sun.io.unicode.encoding=UnicodeLittle
jmx.implementation.vendor=Sun Microsystems
weblogic.system.passwordfile=C\:\\usr\\local\\bea\\wlserver6.1\\NodeManagerL
ogs\\NodeManagerInternal\\bootFile_JWS_JWSNet001
weblogic.system.NodeManagerBoot=true
user.region=US
jmx.specification.version=1.0 Final Release
sun.cpu.isalist=pentium i486 i386
#JCIFS PROPERTIES
#Tue Aug 09 16:55:46 EDT 2005
java.vendor=Sun Microsystems Inc.
jcifs.smb.lmCompatibility=3
weblogic.system.NodeManagerBoot=true
jcifs.netbios.cachePolicy=1200
os.name=Windows 2000
sun.boot.class.path=C\:\\usr\\local\\bea\\jdk131\\jre\\lib\\rt.jar;C\:\\usr\
\local\\bea\\jdk131\\jre\\lib\\i18n.jar;C\:\\usr\\local\\bea\\jdk131\\jre\\l
ib\\sunrsasign.jar;C\:\\usr\\local\\bea\\jdk131\\jre\\classes
jcifs.smb.client.laddr=10.112.1.54
java.vm.specification.vendor=Sun Microsystems Inc.
java.runtime.version=1.3.1_09-b03
weblogic.Name=JWSNet001
jmx.implementation.vendor=Sun Microsystems
user.name=castellj
log4j.configuration=file\:/usr/jws/jwsnet/cfg/log4j.xml
weblogic.RootDirectory=/usr/local/bea/wlserver6.1
jcifs.smb.client.domain=JWSNET
bea.home=/usr/local/bea
jcifs.smb.client.signingPreferred=false
jmx.implementation.name=JMX RI
user.language=en
java.naming.factory.initial=weblogic.jndi.WLInitialContextFactory
sun.boot.library.path=C\:\\usr\\local\\bea\\jdk131\\jre\\bin
jcifs.netbios.wins=192.250.168.53,192.250.168.54
jmx.specification.name=Java Management Extensions
java.version=1.3.1_09
user.timezone=America/New_York
javax.rmi.CORBA.UtilClass=weblogic.iiop.UtilDelegateImpl
jmx.specification.version=1.0 Final Release
jcifs.http.domainController=192.250.168.44
sun.cpu.isalist=pentium i486 i386
jmx.implementation.version=1.0
file.encoding.pkg=sun.io
file.separator=\\
java.specification.name=Java Platform API Specification
java.class.version=47.0
java.home=C\:\\usr\\local\\bea\\jdk131\\jre
java.vm.info=interpreted mode
os.version=5.0
weblogic.system.passwordfile=C\:\\usr\\local\\bea\\wlserver6.1\\NodeManagerL
ogs\\NodeManagerInternal\\bootFile_JWS_JWSNet001
jcifs.smb.client.soTimeout=300000
jcifs.smb.client.password=seligman5
java.awt.fonts=
path.separator=;
java.vm.version=1.3.1_09-b03
weblogic.security.jaas.Configuration=weblogic.security.internal.ServerConfig
java.protocol.handler.pkgs=weblogic.utils|weblogic.utils|weblogic.net|weblog
ic.management
jmx.specification.vendor=Sun Microsystems
jcifs.smb.client.username=jwsintranet
java.awt.printerjob=sun.awt.windows.WPrinterJob
java.security.policy=\=/usr/local/bea/wlserver6.1/lib/weblogic.policy
sun.io.unicode.encoding=UnicodeLittle
awt.toolkit=sun.awt.windows.WToolkit
jcifs.util.loglevel=3
java.naming.factory.url.pkgs=weblogic.jndi.factories
user.home=C\:\\Documents and Settings\\castellj
weblogic.management.server=castelljdt2\:7011
java.specification.vendor=Sun Microsystems Inc.
org.xml.sax.driver=weblogic.apache.xerces.parsers.SAXParser
java.library.path=C\:\\usr\\local\\bea\\jdk131\\bin;.;C\:\\WINNT\\system32;C
\:\\WINNT;C\:\\usr\\local\\bea\\jdk131\\bin;.\\bin;C\:\\Program
Files\\Actuate8\\ClntIntTech\\ActiveX Control\\bin;C\:\\Program Files\\MKS
Toolkit\\mksnt;C\:\\Perl\\bin\\;C\:\\PROGRA~1\\MKSTOO~1\\bin;C\:\\PROGRA~1\\
MKSTOO~1\\bin\\X11;C\:\\PROGRA~1\\MKSTOO~1\\mksnt;C\:\\WINNT\\system32;C\:\\
WINNT;C\:\\WINNT\\System32\\Wbem;C\:\\Sybase\\DLL;C\:\\Sybase\\BIN;C\:\\Prog
ram Files\\Hummingbird\\Connectivity\\9.00\\Accessories\\;C\:\\Program
Files\\cvsnt;C\:\\Program Files\\Microsoft SQL
Server\\80\\Tools\\Binn\\;C\:\\Program Files\\Microsoft Visual
Studio\\Common\\Tools\\WinNT;C\:\\Program Files\\Microsoft Visual
Studio\\Common\\MSDev98\\Bin;C\:\\Program Files\\Microsoft Visual
Studio\\Common\\Tools;C\:\\Program Files\\Microsoft Visual
Studio\\VC98\\bin;C\:\\utils;C\:\\Borland\\BCC55\\bin;C\:\\Program
Files\\CVSNT\\;C\:\\SYBASE\\DLL;
java.vendor.url=http\://java.sun.com/
java.vm.vendor=Sun Microsystems Inc.
java.runtime.name=Java(TM) 2 Runtime Environment, Standard Edition
java.class.path=/usr/jws/jwsnet/lib/xerces.jar;/usr/jws/jwsnet/lib/log4j-1.2
.6.jar;/usr/local/bea/wlserver6.1/lib/CR196879_61sp7.jar;/sybase/jConnect-5_
5/classes/jconn2.jar;/usr/local/bea/wlserver6.1/lib/weblogic_sp.jar;/usr/loc
al/bea/wlserver6.1/lib/weblogic.jar;/usr/jws/jwsnet/lib/msutil.jar;/usr/jws/
jwsnet/lib/mssqlserver.jar;/usr/jws/jwsnet/lib/msbase.jar;/usr/jws/jwsnet/JW
SNetServer.jar;/usr/jws/jwsnet/lib/commons-logging-1.0.jar;/usr/jws/jwsnet/l
ib/poi-2.5-final-20040302.jar;/usr/local/bea/wlserver6.1/config/JWS/applicat
ions/JWSWL61Common.jar;/usr/jws/jwsnet/lib/velocity-1.4.jar;/usr/jws/jwsnet/
lib/commons-collections-3.1.jar
weblogic.Domain=JWS
jcifs.netbios.hostname=CASTELLJDT2
java.vm.specification.name=Java Virtual Machine Specification
java.vm.specification.version=1.0
javax.rmi.CORBA.PortableRemoteObjectClass=weblogic.iiop.PortableRemoteObject
DelegateImpl
sun.cpu.endian=little
java.io.tmpdir=C\:\\Temp\\
java.vendor.url.bug=http\://java.sun.com/cgi-bin/bugreport.cgi
os.arch=x86
java.awt.graphicsenv=sun.awt.Win32GraphicsEnvironment
java.ext.dirs=C\:\\usr\\local\\bea\\jdk131\\jre\\lib\\ext
weblogic.security.jaas.Policy=/usr/local/bea/wlserver6.1\\lib\\Server.policy
user.dir=C\:\\usr\\local\\bea\\wlserver6.1
line.separator=\r\n
java.vm.name=Java HotSpot(TM) Client VM
user.region=US
file.encoding=Cp1252
java.specification.version=1.3
Attempting to negotiate with DC at 192.250.168.44:445...
New data read: Transport1[0.0.0.0<00>/192.250.168.44:445]
00000: FF 53 4D 42 72 00 00 00 00 98 03 C0 00 00 00 00 |ÿSMBr......À....|
00010: 00 00 00 00 00 00 00 00 00 00 07 51 00 00 01 00 |...........Q....|
byteCount=40 but readBytesWireFormat returned 20
treeConnect: unc=\\NTAWS115\IPC$,service=?????
treeConnect: unc=\\NTAWS115\IPC$,service=?????
New data read: Transport1[NTAWS115<00>/192.250.168.44:445]
00000: FF 53 4D 42 73 00 00 00 00 98 07 C0 00 00 63 E5 |ÿSMBs......À..cå|
00010: 2F 93 E6 14 E5 22 00 00 02 58 07 51 02 A8 02 00 |/.æ.å"...X.Q.¨..|
New data read: Transport1[NTAWS115<00>/192.250.168.44:445]
00000: FF 53 4D 42 73 22 00 00 C0 98 07 C0 00 00 2F 58 |ÿSMBs"..À..À../X|
00010: C9 FB CB C4 DE A5 00 00 00 00 07 51 00 00 03 00 |ÉûËÄÞ¥.....Q....|
signature verification failure
00000: 5D 97 67 FE 2D A0 0D 06 |].gþ- .. |
00000: 2F 58 C9 FB CB C4 DE A5 |/XÉûËÄÞ¥ |
NtlmHttpFilter: JWSNET\castellj: 0xC0000022: jcifs.smb.SmbAuthException:
Access is denied.
java.io.InterruptedIOException: Receive timed out
at java.net.PlainDatagramSocketImpl.receive(Native Method)
at java.net.DatagramSocket.receive(DatagramSocket.java:387)
at jcifs.netbios.NameServiceClient.run(NameServiceClient.java:184)
at java.lang.Thread.run(Thread.java:479)
treeConnect: unc=\\NTAWS115\IPC$,service=?????
New data read: Transport1[NTAWS115<00>/192.250.168.44:445]
00000: FF 53 4D 42 73 22 00 00 C0 98 07 C0 00 00 52 82 |ÿSMBs"..À..À..R.|
00010: 93 A7 FA FD 16 85 00 00 00 00 07 51 00 00 04 00 |.§úý.......Q....|
signature verification failure
00000: 8D 70 8C 6F A2 F1 C2 0F |.p.o¢ñÂ. |
00000: 52 82 93 A7 FA FD 16 85 |R..§úý.. |
NtlmHttpFilter: JWSNET\castellj: 0xC0000022: jcifs.smb.SmbAuthException:
Access is denied.
treeConnect: unc=\\NTAWS115\IPC$,service=?????
New data read: Transport1[NTAWS115<00>/192.250.168.44:445]
00000: FF 53 4D 42 73 22 00 00 C0 98 07 C0 00 00 38 86 |ÿSMBs"..À..À..8.|
00010: B2 FF 77 1E 01 B9 00 00 00 00 07 51 00 00 05 00 |²ÿw..¹.....Q....|
signature verification failure
00000: 20 E1 12 45 B9 63 D8 30 | á.E¹cØ0 |
00000: 38 86 B2 FF 77 1E 01 B9 |8.²ÿw..¹ |
NtlmHttpFilter: JWSNET\castellj: 0xC0000022: jcifs.smb.SmbAuthException:
Access is denied.
java.io.InterruptedIOException: Read timed out
at java.net.SocketInputStream.socketRead(Native Method)
at java.net.SocketInputStream.read(SocketInputStream.java:85)
at jcifs.util.transport.Transport.readn(Transport.java:29)
at jcifs.smb.SmbTransport.peekKey(SmbTransport.java:321)
at jcifs.util.transport.Transport.loop(Transport.java:89)
at jcifs.util.transport.Transport.run(Transport.java:229)
at java.lang.Thread.run(Thread.java:479)
We have an Ethereal capture for the network traffic at the time the above
messages were generated. Any and all help greatly appreciated. So far,
this has been one of the few questions that Google has not been able to
answer.
Thanks,
-jc
"J. & W. Seligman & Co." made the following annotations
___________________________________________________________________
Confidentiality Note: The Information transmitted is intended only for the
person or entity to whom or which it is addressed and may contain
confidential and/or privileged material. Any review, retransmission,
dissemination or other use of this information by persons or entities other
than the intended recipient is prohibited. If you receive this in error,
please delete this material immediately.
Please be advised that someone other than the intended recipients, including
a third-party in the Seligman organization and government agencies, may
review all electronic communications to and from this address.
________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs Email
Security System.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: web.xml
Type: application/octet-stream
Size: 2113 bytes
Desc: not available
Url : http://lists.samba.org/archive/jcifs/attachments/20050810/b8c44680/web.obj
More information about the jcifs
mailing list