[jcifs] Problem with transparent autentication using the NtlmHttpFilter

Michael B Allen mba2000 at ioplex.com
Thu Jan 19 18:43:23 GMT 2006 

On Thu, 19 Jan 2006 16:20:41 +0000
João Mota <jmota at criticalsoftware.com> wrote:

> Hello,
> 
> I am having some problems getting transparent authentication to work 
> with NtlmHttpFilter jcifs-1.2.7, it seems that IE is failling the 
> negotiation.
> The domain Controller is a windows 2003 server.
> 
> The error that shows in the log at the same time that the dialog box to 
> enter username/password shows up is (i replaced the sensitive data for a 
> meaningfull word in caps):
>      NtlmHttpFilter: DOMAIN\USERLOGIN: 0xC0000022: 
> jcifs.smb.SmbAuthException: Access is denied.

No doubt this is an SMB signing issue. You need "preauthentication".

> 
> Filling in the user and password in the dialog box, the authentication 
> works ok.
> 
> My questions are:
> 1) Is it possible to have transparent authentication with the 
> jcifs.http.domainController specified ?

No, it was recently discoverd that preauthentication only works if
jcifs.http.domainController is NOT used. I would use:

>    <filter>
>         <filter-name>NtlmHttpFilter</filter-name>
>         <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
>     <init-param>
>         <param-name>jcifs.netbios.wins</param-name>
>         <param-value>IP</param-value>
>         </init-param>
>     <init-param>
>         <param-name>jcifs.smb.client.domain</param-name>
>         <param-value>DOMAIN</param-value>
>         </init-param>
>     <init-param>
>         <param-name>jcifs.smb.client.username</param-name>
>         <param-value>USER</param-value>
>         </init-param>
>     <init-param>
>         <param-name>jcifs.smb.client.password</param-name>
>         <param-value>PASSWORD</param-value>
>         </init-param>
>     <init-param>
>         <param-name>jcifs.util.loglevel</param-name>
>         <param-value>2</param-value>
>         </init-param>

If you don't have wins then you could try setting jcifs.netbios.lmhosts
[1] to a file that maps the IP you had for domainController to DOMAIN.

Otherwise, we need to fix the code so that preauth works with
domainController. It's on The List.

Mike

http://jcifs.samba.org/src/docs/resolver.html

More information about the jcifs mailing list