[jcifs] Problem with transparent autentication using the NtlmHttpFilter

Michael B Allen mba2000 at ioplex.com
Thu Jan 19 18:43:23 GMT 2006

On Thu, 19 Jan 2006 16:20:41 +0000
João Mota <jmota at criticalsoftware.com> wrote:

> Hello,
> I am having some problems getting transparent authentication to work 
> with NtlmHttpFilter jcifs-1.2.7, it seems that IE is failling the 
> negotiation.
> The domain Controller is a windows 2003 server.
> The error that shows in the log at the same time that the dialog box to 
> enter username/password shows up is (i replaced the sensitive data for a 
> meaningfull word in caps):
>      NtlmHttpFilter: DOMAIN\USERLOGIN: 0xC0000022: 
> jcifs.smb.SmbAuthException: Access is denied.

No doubt this is an SMB signing issue. You need "preauthentication".

> Filling in the user and password in the dialog box, the authentication 
> works ok.
> My questions are:
> 1) Is it possible to have transparent authentication with the 
> jcifs.http.domainController specified ?

No, it was recently discoverd that preauthentication only works if
jcifs.http.domainController is NOT used. I would use:

>    <filter>
>         <filter-name>NtlmHttpFilter</filter-name>
>         <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
>     <init-param>
>         <param-name>jcifs.netbios.wins</param-name>
>         <param-value>IP</param-value>
>         </init-param>
>     <init-param>
>         <param-name>jcifs.smb.client.domain</param-name>
>         <param-value>DOMAIN</param-value>
>         </init-param>
>     <init-param>
>         <param-name>jcifs.smb.client.username</param-name>
>         <param-value>USER</param-value>
>         </init-param>
>     <init-param>
>         <param-name>jcifs.smb.client.password</param-name>
>         <param-value>PASSWORD</param-value>
>         </init-param>
>     <init-param>
>         <param-name>jcifs.util.loglevel</param-name>
>         <param-value>2</param-value>
>         </init-param>

If you don't have wins then you could try setting jcifs.netbios.lmhosts
[1] to a file that maps the IP you had for domainController to DOMAIN.

Otherwise, we need to fix the code so that preauth works with
domainController. It's on The List.



More information about the jcifs mailing list