[jcifs] authentication not working
Ashok Kumar K
AshokKumar_220060 at infosys.com
Mon Aug 27 12:03:37 GMT 2007
Hi Eric,
As you advised I changed values of all those registry entries to 0X00000000 and tried, even then its saying 'page can not be displayed..'
But I could see some log on tomcat console, hope this could help, below is the log.
NameQueryRequest[nameTrnId=2,isResponse=false,opCode=QUERY,isAuthAnswer=false,is
Truncated=false,isRecurAvailable=false,isRecurDesired=true,isBroadcast=true,resu
ltCode=0,questionCount=1,answerCount=0,authorityCount=0,additionalCount=0,questi
onName=HYDHTCGDC01<20>,questionType=0x0020,questionClass=IN,recordName=null,reco
rdType=0x0000,recordClass=0x0000,ttl=0,rDataLength=0]
00000: 00 02 01 10 00 01 00 00 00 00 00 00 20 45 49 46 |............ EIF|
00010: 4A 45 45 45 49 46 45 45 44 45 48 45 45 45 44 44 |JEEEIFEEDEHEEEDD|
00020: 41 44 42 43 41 43 41 43 41 43 41 43 41 00 00 20 |ADBCACACACACA.. |
00030: 00 01 |.. |
NameQueryRequest[nameTrnId=3,isResponse=false,opCode=QUERY,isAuthAnswer=false,is
Truncated=false,isRecurAvailable=false,isRecurDesired=true,isBroadcast=true,resu
ltCode=0,questionCount=1,answerCount=0,authorityCount=0,additionalCount=0,questi
onName=HYDHTCGDC01<20>,questionType=0x0020,questionClass=IN,recordName=null,reco
rdType=0x0000,recordClass=0x0000,ttl=0,rDataLength=0]
00000: 00 03 01 10 00 01 00 00 00 00 00 00 20 45 49 46 |............ EIF|
00010: 4A 45 45 45 49 46 45 45 44 45 48 45 45 45 44 44 |JEEEIFEEDEHEEEDD|
00020: 41 44 42 43 41 43 41 43 41 43 41 43 41 00 00 20 |ADBCACACACACA.. |
00030: 00 01 |.. |
NameQueryRequest[nameTrnId=4,isResponse=false,opCode=QUERY,isAuthAnswer=false,is
Truncated=false,isRecurAvailable=false,isRecurDesired=true,isBroadcast=true,resu
ltCode=0,questionCount=1,answerCount=0,authorityCount=0,additionalCount=0,questi
onName=HYDHTCGDC01<1D>,questionType=0x0020,questionClass=IN,recordName=null,reco
rdType=0x0000,recordClass=0x0000,ttl=0,rDataLength=0]
00000: 00 04 01 10 00 01 00 00 00 00 00 00 20 45 49 46 |............ EIF|
00010: 4A 45 45 45 49 46 45 45 44 45 48 45 45 45 44 44 |JEEEIFEEDEHEEEDD|
00020: 41 44 42 43 41 43 41 43 41 43 41 42 4E 00 00 20 |ADBCACACACABN.. |
00030: 00 01 |.. |
SmbComNegotiate[command=SMB_COM_NEGOTIATE,received=false,errorCode=0,flags=0x001
8,flags2=0xC003,signSeq=0,tid=0,pid=36103,uid=0,mid=1,wordCount=0,byteCount=12,w
ordCount=0,dialects=NT LM 0.12]
New data read: Transport1[HYDHTCGDC01/10.136.65.55:0]
00000: FF 53 4D 42 72 00 00 00 00 98 03 C0 00 00 00 00 | SMBr......└....|
00010: 00 00 00 00 00 00 00 00 00 00 07 8D 00 00 01 00 |................|
byteCount=54 but readBytesWireFormat returned 28
SmbComNegotiateResponse[command=SMB_COM_NEGOTIATE,received=false,errorCode=0,fla
gs=0x0098,flags2=0xC003,signSeq=0,tid=0,pid=36103,uid=0,mid=1,wordCount=17,byteC
ount=54,wordCount=17,dialectIndex=0,securityMode=0x7,security=user,encryptedPass
words=true,maxMpxCount=50,maxNumberVcs=1,maxBufferSize=16644,maxRawSize=65536,se
ssionKey=0x00000000,capabilities=0x0001F3FD,serverTime=Mon Aug 27 17:19:58 GMT+0
5:30 2007,serverTimeZone=65206,encryptionKeyLength=8,byteCount=54,encryptionKey=
0x555C64778D2D24A5,oemDomainName=ITLINFOSYS]
java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(SocketInputStream.java:168)
at jcifs.util.transport.Transport.readn(Transport.java:29)
at jcifs.smb.SmbTransport.peekKey(SmbTransport.java:355)
at jcifs.util.transport.Transport.loop(Transport.java:100)
at jcifs.util.transport.Transport.run(Transport.java:265)
at java.lang.Thread.run(Thread.java:595)
thanks
Ashok
-----Original Message-----
From: Eric Glass [mailto:eric.glass at gmail.com]
Sent: Monday, August 27, 2007 5:04 PM
To: Ashok Kumar K
Cc: jcifs at lists.samba.org
Subject: Re: [jcifs] authentication not working
All of these will likely be an issue:
LMCompatibilityLevel = 5 means support only NTLMv2/LMv2. jCIFS has
some support for this; you should add to your web.xml:
<init-param>
<param-name>jcifs.smb.lmCompatibility</param-name>
<param-value>5</param-value>
</init-param>
This may fix it for the clients that are not working (but might break
the ones that are, you will have to test). Alternatively, you can set
the registry value to 0x00000000 on the non-working clients which may
fix.
NtlmMinClientSec/NtlmMinServerSec = 0x20000000 + 0x00080000
means require 128-bit signing support (irrelevant for these purposes;
depending on what jCIFS echoes back by default it may or may not be an
issue), as well as require NTLM2 signing support (will be an issue, as
it requires support for the NTLM2 session response that jCIFS cannot
provide).
Easiest way to fix this would be to set these to 0x00000000 on the
client (may only be required for NtlmMinClientSec, not sure).
On 8/27/07, Ashok Kumar K <AshokKumar_220060 at infosys.com> wrote:
>
>
>
>
> Hi
>
>
>
> Here is the registry values of those entries on one of the machine( laptop ) where app is not working
>
>
>
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\LMCompatibilityLevel à 0X00000005(5)
>
>
>
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\MSV1_0\NtlmMinClientSec à0X20080000(537395200)
>
>
>
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\MSV1_0\NtlmMinServerSec à0X20080000(537395200)
>
>
>
> Thanks
>
> Ashok
>
>
>
> ________________________________
>
> From: Eric Glass [mailto:eric.glass at gmail.com]
> Sent: Monday, August 27, 2007 4:31 PM
> To: Ashok Kumar K
> Cc: Torben Wölm; jcifs at lists.samba.org
> Subject: Re: [jcifs] authentication not working
>
>
>
>
> What are the values of the following registry entries on the machines where the app is not working:
>
>
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\LMCompatibilityLevel
>
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\MSV1_0\NtlmMinClientSec
>
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\MSV1_0\NtlmMinServerSec
>
>
>
>
>
> On 8/27/07, Ashok Kumar K < AshokKumar_220060 at infosys.com> wrote:
>
>
>
> Hi Torben
>
> I would like to thank you for sparing your valuable time to solve my problem. I could not give my immediate reply as I was out this weekend, so excuse me.
>
> Coming to the issue,
>
> As you suggested I changed to version 1.2.17
>
> I tried all the 3 steps that you suggested and the result is as under
>
> 1. those who could not connect through laptop are able to connect through regular pc using their username and password.
>
> 2.when I disabled auto logon feature in IE settings, its prompting for username and password. Also I could able to reach server from their system, i.e. I could open tomcat admin console of server from their system.
>
> 3.i find a little difference in the output of 'tracert <server>' on machines those accessing and those not accessing. Even then I could reach server machine from both systems ( as I could reach tomcat admin console from both systems ) so I don't think it's a problem.
>
> To tell you, when I commented out the code that is accessing the windows login user's name, I am able to hit the application from all systems.
>
> You also suggested to try out Ethereal, we don't know how to use it.
>
> Here is the extra info you asked that might help to trace the problem.
>
> -Windows version over which tomcat running : windows server 2003
>
> -windows version on laptops : windows XP
>
> As I told you before there are some laptops with windows XP over which app is accessible.
>
> -IE version on all systems are 6.0
>
> We did not installed any servicepacks anywhere.
>
> I know that I am troubling you too much, but hope you understood my situation and help regarding this.
>
>
>
> Thanks and regards
> Ashok
>
> -----Original Message-----
> From: Torben Wölm [mailto:torben.wolm at LEGO.com]
> Sent: Saturday, August 25, 2007 1:42 PM
> To: Ashok Kumar K
> Cc: jcifs at lists.samba.org
> Subject: RE: [jcifs] authentication not working
>
> Hi Ashok
>
> I meant that the library in the meantime is up to version 1.2.17 and you are still using 1.1.11...
>
> When connecting from the laptops -- do you always only get a "SmbComTreeDisconnect" message?
>
> I don't think the problem lies with JCIFS -- then it wouldn't work for the regular users either.
>
>
> Some things to try out:
>
> 1) Have one of the laptop users logon a regular PC, and see if they can connect to the application.
>
> This is to see if it is something with the account.
>
>
> 2) Try to disable the autologon feature in Internet Explorer
> (Tools->Internet Options->Security->Custom Level -- at the bottom locate "Logon" and set to "Prompt for username and password")
>
> This is to see if the users have connected to the server that hosts Tomcat earlier and maybe checked of "Remember password".
>
>
> 3) Make a "tracert <server>" on a commandline on both regular PC and laptop
>
> To see if the network paths are different (firewalls/routers/proxies)
>
>
> If this doesn't give any clues I would still try to run Ethereal at the server to see what the difference is between the communication between a regular PC and a laptop...
>
> Some other useful info you could provide:
>
> - Windows version (incl. ServicePacks) of the server running Tomcat
>
> - Windows version (incl. SPs) of the domain controller
>
> - Windows version (incl. SPs) on laptops
>
> - Windows version (incl. SPs) on regular PC's.
>
> - Internet Explorer versions (incl. SPs) on laptop
>
> - Internet Explorer versions (incl. SPs) on regular PC's.
>
>
> HTH,
> Torben
>
> **************** CAUTION - Disclaimer *****************
> This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message. Further, you are not to copy, disclose, or distribute this e-mail or its contents to any other person and any such actions are unlawful. This e-mail may contain viruses. Infosys has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. Infosys reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the Infosys e-mail system.
> ***INFOSYS******** End of Disclaimer ********INFOSYS***
>
>
More information about the jcifs
mailing list