[jcifs] Problem with Domain Controller Load Balancing

Ghouse, Sherjeel Sherjeel.Ghouse at molex.com
Tue Aug 21 16:46:09 GMT 2007


We have an unusual issue going on with Domain Controller Load balancing. jCIFS version is 1.2.12 and environment is AD 2003.  

We are using a WINS configuration for load balancing DCs and also for high application availability. There is no problem when the Application is accessed directly by entering a URL in IE. However, if the application is accessed by clicking a URL in SAP portal, an NPD pops up and Authentication never succeeds. After looking at the log information it looks like NTLM Type 3 reponse is never completed for one specific DC and a separate negotiation starts with a different DC resulting in 0xC000006D: Logon failure: unknown user name or bad password.

I think the code takes care of removing the Challenge  when authentication fails since a challenge from that DC is not valid for user supplied passwords. This is done before sending WWW-Authenticate to the client. However, when the credentials are manually entered, the login still fails and eventually locks up the AD account.

The weiredest thing is we don't get into this issue when a machine name or IP address is used in the URL rather than FQDN. I don't think the FQDN should have any negative affect on NTLM handshake. I don't know if IE or SAP portal (runs in IE) is the problem. I confirmed that there is no intereference of authentication proxies. 

To narrow down the diagnostic steps, I put an IP of WINS that returns only one DC and the problem is gone. However, there is no load balancing with this setup and could be catastrophic for production systems.

Please advise if anyone has any ideas.


CONFIDENTIALITY NOTICE: This message (including any attachments) may contain Molex confidential information, protected by law. If this message is confidential, forwarding it to individuals, other than those with a need to know, without the permission of the sender, is prohibited.

This message is also intended for a specific individual. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message or taking of any action based upon it, is strictly prohibited. 

Chinese  Japanese


-------------- next part --------------
HTML attachment scrubbed and removed

More information about the jcifs mailing list