[jcifs] SSO problem

Tony Sze, CLSA tony.sze at clsa.com
Tue Jan 11 01:42:26 GMT 2005 

We have successfully used jcifs-ext 0.9.4 in our J2EE application server for
SSO with Kerberos (Windows 2000 Active Directory), but the caveat is, we
didn't know how to use it with keytab so we ended up putting the password of
the SPN in domain.xml in plain text. Also, we don't know how to configure a
failover domain controller. Otherwise, it works.

There was also a bug in J2EE 1.4 SDK which stop it from working, but has a
patch. 

The web.xml I used has the following lines:

    <filter>
      <filter-name>AuthenticationFilter</filter-name>
      <filter-class>jcifs.http.AuthenticationFilter</filter-class>
      <init-param>
        <param-name>jcifs.http.enableNegotiate</param-name>
        <param-value>true</param-value>
      </init-param>
      <init-param>
        <param-name>jcifs.spnego.servicePrincipal</param-name>
 
<param-value>HTTP/server.int.company.com at INT.COMPANY.COM</param-value>
      </init-param>
      <init-param>
        <param-name>jcifs.spnego.servicePassword</param-name>
        <param-value>xxx</param-value>
      </init-param>
      <init-param>
        <param-name>java.security.krb5.realm</param-name>
        <param-value>INT.COMPANY.COM</param-value>
      </init-param>
      <init-param>
        <param-name>java.security.krb5.kdc</param-name>
        <param-value>domain_controller.int.company.com</param-value>
      </init-param>
    </filter>
    <filter-mapping>
      <filter-name>AuthenticationFilter</filter-name>
      <url-pattern>/*</url-pattern>
    </filter-mapping>

-----Original Message-----
From: Michael B Allen [mailto:mba2000 at ioplex.com] 
Sent: Tuesday, January 11, 2005 8:19 AM
To: Pietrzyk, S³awomir
Cc: jcifs at samba.org
Subject: RE: [jcifs] SSO problem


"Pietrzyk, S³awomir" said:
> The mailing list (http://lists.samba.org/listinfo/jcifs) is not 
> workin, so i'll keep asking You personally. Then i'll put all of this 
> into mailing list.
>
> I did packet capture, and i've found, that there is no comunication 
> between DC and my host. I mean, there is communication, but not on the 
> desired ports
> (137, 138, 139...)
>
<snip>
>
> So i dont know what else do i need to configure to obtain this 
> comunication.
>
> I use 1.1.6 version of jcifs for tomcat 4.0.

The problem isn't ports. The DC looks like it's requiring extended security
negotiation (NTLMSSP) which jcifs does not support. You can try setting
jcifs.smb.lmCompatibility = 3.

Or you could use jcifs.http.domainController to use a man-in-the middle
approach but that will be a little slower and will put load on the machine
being used as the "DC".

The jcifs-ext package might help if you just want to do Kerberos SSO but
it's not as easy to use and isn't as tested as mainline.

If you have a budget you should just use Wedgetail. I think they support
what you want.

Mike


-------------------------------------------------------------
Additional information is available upon request
Copyright (c) 2005 CLSA Asia-Pacific Markets. The information and statistical data herein have been obtained from sources we believe to be reliable but in no way are warranted by us as to accuracy or completeness. We do not undertake to advise you as to any change of our views. This is not a solicitation or any offer to buy or sell. CLSA Asia-Pacific Markets has produced this information for private circulation only. All information and advice is given in good faith but without any warranty. CLSA Asia-Pacific Markets, its affiliates or companies or individuals connected with CLSA Asia-Pacific Markets may have used the information set forth herein before publication and may have positions in, may from time to time purchase or sell or may be materially interested in any of the securities mentioned or related securities. This information is subject to the terms and conditions of use set forth on the www.clsa.com website. MITA (P) 105/12/2004. V.050101. 

This email is only for the use of the addressee and may contain information which is confidential, privileged or subject to copyright. If you receive this and are not the addressee, please contact the sender or postmaster at clsa.com immediately. Thank you. 

CLSA ASIA-PACIFIC MARKETS http://www.clsa.com 

-------------- next part --------------
HTML attachment scrubbed and removed

More information about the jcifs mailing list