[jcifs] NtlmHttpFilter authentication failure

Michael B Allen mba2000 at ioplex.com
Thu Jul 20 07:36:50 GMT 2006

The NTLM HTTP Filter doesn't work in a cluster environment because the
NTLM protocol is a multi step handshake so if the first step goes to
one server and a subsequent step goes to a differnet one the handshake
will fail.

The only way to resolve the problem is to somehow direct clients to go
back to the server with which they first communicated with.

There have been other discussions about how to remedy this problem such
as directing clients to one server just to log in.


On Thu, 20 Jul 2006 08:25:51 +0200
Klaus Steffan <klaus.steffan at wugnet.de> wrote:

> Hello,
> I am using the NtlmHttpFilter (jcifs 1.1.8), the intranet web-application is
> running on a WebSphere Application Server cluster on Solaris, the Domain
> Controllers (jcifs.http.loadBalance=true) are Windows 2003 Server. Session
> tracking is done with cookies, requests from the same client go to the same
> server.
> The problem is that the authentication randomly fails for any user. A user
> can authentication one time, and the next time the authentication fails with
>      NtlmHttpFilter: DOMAIN\12345678: 0xC0000022: jcifs.smb.SmbAuthException:
> Access is denied.
> In the test environment everything works fine (usually) and the authentication
> succeeds. The authentication in the live system (same application, users,
> server OS, domain controller) regularly fails with "Access is denied" for
> almost all users for the first time. When the users then reloads the page (F5)
> the authentication is usually successful.
> When we use the current jcifs version (1.2.9), the password dialog pops up in
> the failure case (401: Unauthorized); the authentication then always fails,
> even the user enters the correct credentials. The only solution is to close 
> and restart the browser.
> We can´t see any error info in the domain controller server.
> The authentication problem occured the first time after installing a 
> Microsoft patch on the domain controllers.
> We use the following filter params:
>  <filter>
>     <filter-name>ntlm</filter-name>
>     <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
>     <init-param>
>     	<param-name>jcifs.smb.client.domain</param-name>
>         <param-value>DOMAIN</param-value>
>     </init-param>
>     <init-param>
> 	<param-name>jcifs.netbios.wins</param-name>
>         <param-value>swdc01,swdc02,swdc03,swdc04</param-value>
>     </init-param>
>     <init-param>
> 	<param-name>jcifs.http.loadBalance</param-name>
>         <param-value>true</param-value>
>     </init-param>
>     <init-param>
>         <param-name>jcifs.smb.client.ssnLimit</param-name>
>         <param-value>1000</param-value>
>     </init-param>
>     <init-param>
>         <param-name>jcifs.util.loglevel</param-name>
>   	<param-value>2</param-value>
>     </init-param>
>   </filter>
> I´ve read the postings and tried the following tips to resolve the problem, 
> but none helped: 
> 1. Upgrading to JCIFS 1.2.9: same behaviour.
> 2. Preauthentication: define a username and password didn´t have any
> affect. 
> 3. Setting ssnLimit to 1: all (!) authentication attempts failed with
> "Access is denied". 
> Attached you´ll find logfiles for both a successful and
> a failed authentication.
> Btw: Another web-application which also uses the same jcifs filter with 
> dentical params (and identical environment: Domain Controller...) doesn´t 
> have any problems. 
> Does anyone have an idea whats wrong ? 
> Any help would be appreciated.
> Klaus
> -- 

Michael B Allen
PHP Extension for SSO w/ Windows Group Authorization

More information about the jcifs mailing list