[jcifs] jCIFS Jboss Tomcat IIS NTLM Authentication

Wed Oct 26 09:52:52 GMT 2005

In my experience, IIS tends to "grab" the NTLM messages coming from the
client; I've had similar issues using the filter fronted by IIS.

If all you need is to have getRemoteUser return the user name (i.e. just
using the filter to authenticate against the domain controller) then you
don't really need jCIFS; IIS can do this for you. See here for more details:

http://lists.samba.org/archive/jcifs/2004-April/003339.html

On 10/25/05, Scott Shaver <Scott.Shaver at mcdata.com> wrote:
>
> Okay I've spent the last several days going over everything I could find
> on the web about setting this up and I still can't get it to work. I have
> the following setup:
>
> jCIFS 1.2.6
> JBoss 4.0.3 with Tomcat 5
> Jakarta isapi_redirect 1.2.14
> IIS 5.0
> IE 6
> Windows 2003 Domain Controller
>
> A win2k machine running a small web app, on Jboss, with the
> jcifs.http.NtlmHttpFilter set up. An IIS box fronting the app server using
> the isapi redirector to pass the requests through to jboss. If I hit the app
> server directly with IE I see the following output from jboss:
>
> 14:06:24,692 INFO [STDOUT] Transport1: connect: state=0
> 14:06:24,692 INFO [STDOUT] New data read:
> Transport1[MC4DC01<00>/999.16.11.10:0]
> 14:06:24,692 INFO [STDOUT] 00000: FF 53 4D 42 72 00 00 00 00 98 03 C0 00
> 00 00 00 | SMBr......└....|
> 00010: 00 00 00 00 00 00 00 00 00 00 73 59 00 00 06 00 |..........sY....|
> 14:06:24,692 INFO [STDOUT] byteCount=50 but readBytesWireFormat returned
> 32
> 14:06:24,692 INFO [STDOUT] Transport1: run connected
> 14:06:24,708 INFO [STDOUT] Transport1: connected: state=3
> 14:06:24,724 INFO [STDOUT] treeConnect: unc=\\MC4DCA01\IPC$,service=?????
> 14:06:24,739 INFO [STDOUT] New data read:
> Transport1[MC4DC01<00>/999.16.11.10:0]
> 14:06:24,739 INFO [STDOUT] 00000: FF 53 4D 42 73 00 00 00 00 98 03 C0 00
> 00 00 00 | SMBs......└....|
> 00010: 00 00 00 00 00 00 00 00 07 20 73 59 00 40 07 00 |......... sY. at ..|
> 14:06:24,755 INFO [STDOUT] NtlmHttpFilter: MCDATACORPNT\sas1a780c
> successfully authenticated against 0.0.0.0 <http://0.0.0.0>
> <00>/172.16.11.10
>
> which is great, that is extacly what I wanted it to do. I was
> authenticated against our domain controller. So it appears jCIFS is working.
> However when I then go to the application via the IIS server this happens:
>
> 12:32:17,115 INFO [STDOUT] treeConnect: unc=\\MC4DCA01\IPC$,service=?????
> 12:32:17,130 INFO [STDOUT] New data read:
> Transport1[MC4DCA01<00>/999.16.11.10:0]
> 12:32:17,130 INFO [STDOUT] 00000: FF 53 4D 42 73 6D 00 00 C0 98 03 C0 00
> 00 00 00 | SMBsm..└..└....|
> 00010: 00 00 00 00 00 00 00 00 00 00 73 59 00 00 05 00 |..........sY....|
> 12:32:17,130 INFO [STDOUT] NtlmHttpFilter: MCDATACORPNT\sas1a780c:
> 0xC000006D: jcifs.smb.SmbAuthException: Logon failure: unknown user name
> or bad password.
>
> 12:32:17,146 INFO [JkCoyoteHandler] Response already committed
>
> So the question is: What is causing it to fail when going through IIS?
>
> I'm only using the jcifs.http.domainController and jcifs.smb.client.domainsettings in the
> web.xml for the filter.
>
> Is it IIS? Is it the isapi_redirect ISAPI filter on IIS? Is it the AJP13
> worker threads on the Jboss side? Is it something happening between the
> worker threads and the request hand-off to the tomcat server?
>
> I have the entire list of instructions written down for how I have set all
> of this up if anyone needs to see it. I can get the logs from the ISAPI
> filter if that would help. I've seen many many thread about people having
> issues with this but no real answers and no configurations exactly like
> this. Any help is greatly appreciated.
> SPECIAL NOTICE
>
> All information transmitted hereby is intended only for the use of the
> addressee(s) named above and may contain confidential and privileged
> information. Any unauthorized review, use, disclosure or distribution
> of confidential and privileged information is prohibited. If the reader
> of this message is not the intended recipient(s) or the employee or agent
> responsible for delivering the message to the intended recipient, you are
> hereby notified that you must not read this transmission and that
> disclosure,
> copying, printing, distribution or use of any of the information contained
> in or attached to this transmission is STRICTLY PROHIBITED.
>
> Anyone who receives confidential and privileged information in error
> should
> notify us immediately by telephone and mail the original message to us at
> the above address and destroy all copies. To the extent any portion of
> this
> communication contains public information, no such restrictions apply to
> that
> information. (gate01)
>
-------------- next part --------------

3j?Zr???
???y??v?????