FW: [jcifs] Ntlm authentication prompts 2nd user - Win 2003

Mon Jul 11 19:07:48 GMT 2005

On Mon, 11 Jul 2005 12:58:57 -0500
"AARON WILT" <AARONWILT at afninet.com> wrote:

> Michael-
> 
> Sorry I sent this directly to your email address, but I got a message back from the jcifs listserv saying my attachments were too big to be posted.

That's ok. You should never send captures to a public mailing list anyway.

<snip>
> It appears that when I change nothing except the jcifs-1.2.1 jar to the jcifs-1.1.11.jar, things seem to work better for the most part.  The NtlmHttpAuthExample giving me a success message.  I had a colleague of mine attempt to access this servlet intermittently as I was also accessing it.  It seemed if I would access the page, then he would try to "submit query" that's when the next person to access the page would bomb with an Unverifiable signature SmbException such as showed up in the server log:
> 
> 2005-07-08 14:59:52 StandardWrapperValve[ntauth]: Servlet.service() for servlet ntauth threw exception
> jcifs.smb.SmbException: Unverifiable signature: 0.0.0.0<00>/10.250.254.164
> 	at jcifs.smb.SmbTransport.send(SmbTransport.java:674)
> 	at jcifs.smb.SmbSession.sessionSetup(SmbSession.java:271)
> 	at jcifs.smb.SmbSession.send(SmbSession.java:228)
> 	at jcifs.smb.SmbTree.treeConnect(SmbTree.java:134)
> 	at jcifs.smb.SmbSession.logon(SmbSession.java:159)
> 	at jcifs.smb.SmbSession.logon(SmbSession.java:152)
> 	at jcifs.http.NtlmHttpFilter.doFilter(NtlmHttpFilter.java:155)
> 
> Attached is a printout of my server console as well as the packet capture throughout our attempts at accessing the servlet.
> 
> Any ideas?

Funny, I see Access Denied in the packet captures. If unverifiable signature errors were occurring that would suggest the session setup was actually succcessfull but jCIFS couldn't verify the signature.

First, I see you're running IIS on the same machine/port. I can see GET / generating Access Denied messages so I think you might have NTLM HTTP Authentication enabled with it as well. That could cause problems. Why don't you just use IIS's builtin auth?

Also, it looks like the machine acting as the web server is actually quite busy with other things. I see DFS referrals, outgoing NTLM HTTP requests, and other stuff. This can complicate things.

But ultimately I see non-primary attempts to establish a session after the initial one is causing Access Denied replys. This would suggest that the DC did not like the signature from jCIFS. That could be a bug but it is odd that everyone else does not have this problem.

Unfortunately the use of Tomcat with modjk and IIS on a busy machine creates too many variables for me to look at this further. If you have the same problem on a fresh Linux install with vanilla options then re-post your issue.

Mike

> For some reason, yesterday the first user was getting in fine and the second user had the problem.  Today it appears that everytime I connect, I get the prompt.  I'm baffled as to what changed over night to cause this behavior.
> 
> I will try to download 1.1.11 jar and I'll let you know what happens.
> 
> Thanks for the help, Mike.
> 
> Aaron.
> 
> P.S. As for those timeouts, they occur instantly after I get the prompt.  I'm not sure if that is significant, but I thought I would mention it since you said they happen when the smb transports have been idle "for a while" (of course a while can be very relative :-).
> 
> 
> -----Original Message-----
> From: Michael B Allen [mailto:mba2000 at ioplex.com]
> Sent: Friday, July 08, 2005 12:37 PM
> To: AARON WILT
> Cc: jcifs at lists.samba.org
> Subject: Re: [jcifs] Ntlm authentication prompts 2nd user - Win 2003
> 
> On Fri, 8 Jul 2005 10:25:52 -0500
> "AARON WILT" <AARONWILT at afninet.com> wrote:
> 
> > "Explain what the problem is and not what you think the problem is."
> > 
> > Ok, sorry for not being clear.  The problem is that when I try to access the NtlmHttpAuthExample servlet, I get prompted for a username/password/domain instead of it automatically determining my NT Domain information.  You can see my web.xml in the previous email.
> > 
> > "Do you get an error?"
> > Yes - now that I've added log level init param (level 3) and I downloaded ethereal, I can see what these errors are.
> > 
> > "If so what is the error?"
> > 
> > In my Tomcat server log, I get the following error:
> > 
> > <snip>
> > 
> > signature verification failure
> > 00000: 9A 61 B5 BB A0 C4 7C ED                          |.aµ» Ä|í        |
> > 
> > 00000: 03 2D 79 55 9A E3 24 88                          |.-yU.ã$.        |
> 
> So what happend to the "2nd user" part? Is that not true? If it is still occuring and you have established preauthentication then it should work. Try 1.1.11 vs 1.2.1. Send me an ethereal capture of the error.
> 
> > java.net.SocketTimeoutException: Receive timed out
> > 	at java.net.PlainDatagramSocketImpl.receive(Native Method)
> > 	at java.net.DatagramSocket.receive(DatagramSocket.java:711)
> > 	at jcifs.netbios.NameServiceClient.run(NameServiceClient.java:184)
> > 	at java.lang.Thread.run(Thread.java:534)
> > java.net.SocketTimeoutException: Read timed out
> > 	at java.net.SocketInputStream.socketRead0(Native Method)
> > 	at java.net.SocketInputStream.read(SocketInputStream.java:129)
> > 	at jcifs.util.transport.Transport.readn(Transport.java:29)
> > 	at jcifs.smb.SmbTransport.peekKey(SmbTransport.java:319)
> > 	at jcifs.util.transport.Transport.loop(Transport.java:89)
> > 	at jcifs.util.transport.Transport.run(Transport.java:229)
> > 	at java.lang.Thread.run(Thread.java:534)
> 
> Actually these timeouts are normal. These are the name service and smb transports timing out after having been idle for a while.
> 
> Mike
> 
> 
> 
> 
> 
> 
> 
> 