[jcifs] NtlmHttpFilter authentication failure

Klaus Steffan klaus.steffan at wugnet.de
Thu Jul 20 06:25:51 GMT 2006 

Hello,

I am using the NtlmHttpFilter (jcifs 1.1.8), the intranet web-application is
running on a WebSphere Application Server cluster on Solaris, the Domain
Controllers (jcifs.http.loadBalance=true) are Windows 2003 Server. Session
tracking is done with cookies, requests from the same client go to the same
server.

The problem is that the authentication randomly fails for any user. A user
can authentication one time, and the next time the authentication fails with
     NtlmHttpFilter: DOMAIN\12345678: 0xC0000022: jcifs.smb.SmbAuthException:
Access is denied.

In the test environment everything works fine (usually) and the authentication
succeeds. The authentication in the live system (same application, users,
server OS, domain controller) regularly fails with "Access is denied" for
almost all users for the first time. When the users then reloads the page (F5)
the authentication is usually successful.

When we use the current jcifs version (1.2.9), the password dialog pops up in
the failure case (401: Unauthorized); the authentication then always fails,
even the user enters the correct credentials. The only solution is to close 
and restart the browser.

We can´t see any error info in the domain controller server.
The authentication problem occured the first time after installing a 
Microsoft patch on the domain controllers.

We use the following filter params:
 <filter>
    <filter-name>ntlm</filter-name>
    <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
    <init-param>
    	<param-name>jcifs.smb.client.domain</param-name>
        <param-value>DOMAIN</param-value>
    </init-param>
    <init-param>
	<param-name>jcifs.netbios.wins</param-name>
        <param-value>swdc01,swdc02,swdc03,swdc04</param-value>
    </init-param>
    <init-param>
	<param-name>jcifs.http.loadBalance</param-name>
        <param-value>true</param-value>
    </init-param>
    <init-param>
        <param-name>jcifs.smb.client.ssnLimit</param-name>
        <param-value>1000</param-value>
    </init-param>
    <init-param>
        <param-name>jcifs.util.loglevel</param-name>
  	<param-value>2</param-value>
    </init-param>
  </filter>


I´ve read the postings and tried the following tips to resolve the problem, 
but none helped: 

1. Upgrading to JCIFS 1.2.9: same behaviour.
2. Preauthentication: define a username and password didn´t have any
affect. 
3. Setting ssnLimit to 1: all (!) authentication attempts failed with
"Access is denied". 

Attached you´ll find logfiles for both a successful and
a failed authentication.

Btw: Another web-application which also uses the same jcifs filter with 
dentical params (and identical environment: Domain Controller...) doesn´t 
have any problems. 

Does anyone have an idea whats wrong ? 
Any help would be appreciated.

Klaus

--

More information about the jcifs mailing list