[jcifs] Intermittent authentication failures
Michael B Allen
miallen at ioplex.com
Tue Dec 11 19:15:49 GMT 2007
On Tue, 11 Dec 2007 15:10:19 +0000 (UTC)
Chris Kimpton <chris.kimpton at rabobank.com> wrote:
> Hi,
>
> We have a website that is using jcifs for NT authentication and is generally
> working fine. We are using version 1.2.17. This is via the NtlmFilter, under
> tomcat, running inside jboss 4.0.5.
>
> On a few pages we have some live updating stuff, done via ajax/dwr. They do
> not update too frequently - one call every 3-4 seconds, with checks to ensure
> we do not make a new call if the previous one is still pending.
>
> Intermittently, one of these ajax calls fails authentication and we get a
> username/password popup box.
>
> We are not sure what is causing this - busy domain controller, perhaps.
>
> The jcifs settings are:
>
> set params=%params% -Djcifs.http.basicRealm=[some realm]
> set params=%params% -Djcifs.netbios.wins=[dc server dns name]
> set params=%params% -Djcifs.smb.client.domain=[our domain]
> set params=%params% -Djcifs.resolveOrder=DNS
> set params=%params% -Djcifs.http.domainController=[dc server dns name]
> set params=%params% -Djcifs.smb.client.domain.full=[our fq domain]
Hi Chris,
There's no such property jcifs.smb.client.domain.full but it will just
be ignored by jCIFS.
> set params=%params% -Djcifs.smb.client.username=[a dedicated user]
> set params=%params% -Djcifs.smb.client.password=[its password]
>
> Below is an example of what we see in the logs.
I don't see any error in the log fragment below. The
SmbComSessionSetupAndXResponse has errorCode=0.
Otherwise I don't have any specific knowledge that would explain the
problem.
If it were a "busy domain controller" you would see some timeout errors
or errorCode != 0 or large delays between log message timestamps and
from what you have provided that does not appear to be the case.
Mike
> We are using the NtlmFilter. I have tried subclassing it, with a view to
> trapping an exception (but that does not seem to happen) or check whether the
> ntlmAuth item is in the session - but that seems to be always present once
> logged on.
>
> If we can trap one of these conditions, my thoughts are that we could then re-
> try the login a few times, with a delay between, to see if its just a busy DC.
>
> So - has anybody got any tips on how to achieve this or which jcifs parameters
> we could play with to make it cope with this situation.
>
> Many thanks in advance,
> Chris
>
> 2007-12-11 08:18:04,589 ERROR [STDERR] NtlmHttpFilter: blahblah successfully
> authenticated against blahblah
>
> 2007-12-11 08:18:05,636 ERROR [STDERR] NtlmHttpFilter: blahblah successfully
> authenticated against blahblah
>
> 2007-12-11 08:18:08,277 ERROR [STDERR] SmbComTreeDisconnect
> [command=SMB_COM_TREE_DISCONNECT,received=false,errorCode=0,flags=0x0018,flags2
> =0xC003,signSeq=0,tid=2054,pid=29853,uid=4098,mid=0,wordCount=0,byteCount=0]
>
> 2007-12-11 08:18:08,277 ERROR [STDERR] 00000: FF 53 4D 42 71 00 00 00 00 18 03
> C0 00 00 00 00 |ÿSMBq......À....|
> 00010: 00 00 00 00 00 00 00 00 06 08 9D 74 02 10 00 00 |...........t....|
> 00020: 00 00 00 |... |
> 2007-12-11 08:18:08,277 ERROR [STDERR] SmbComLogoffAndX
> [command=SMB_COM_LOGOFF_ANDX,received=false,errorCode=0,flags=0x0018,flags2=0xC
> 003,signSeq=0,tid=0,pid=29853,uid=4098,mid=0,wordCount=2,byteCount=0,andxComman
> d=0xFF,andxOffset=0]
>
> 2007-12-11 08:18:08,277 ERROR [STDERR] 00000: FF 53 4D 42 74 00 00 00 00 18 03
> C0 00 00 00 00 |ÿSMBt......À....|
> 00010: 00 00 00 00 00 00 00 00 00 00 9D 74 02 10 00 00 |...........t....|
> 00020: 02 FF 00 DE DE 00 00 |.ÿ.ÞÞ.. |
> 2007-12-11 08:18:08,652 ERROR [STDERR] SmbComNegotiate
> [command=SMB_COM_NEGOTIATE,received=false,errorCode=0,flags=0x0018,flags2=0xC00
> 3,signSeq=0,tid=0,pid=29853,uid=0,mid=15,wordCount=0,byteCount=12,wordCount=0,d
> ialects=NT LM 0.12]
>
> 2007-12-11 08:18:08,652 ERROR [STDERR] 00000: FF 53 4D 42 72 00 00 00 00 18 03
> C0 00 00 00 00 |ÿSMBr......À....|
> 00010: 00 00 00 00 00 00 00 00 00 00 9D 74 00 00 0F 00 |...........t....|
> 00020: 00 0C 00 02 4E 54 20 4C 4D 20 30 2E 31 32 00 |....NT LM 0.12. |
> 2007-12-11 08:18:08,667 ERROR [STDERR] New data read: Transport1
> [utcs111d12/172.17.40.2:0]
> 2007-12-11 08:18:08,667 ERROR [STDERR] 00000: FF 53 4D 42 72 00 00 00 00 98 03
> C0 00 00 00 00 |ÿSMBr......À....|
> 00010: 00 00 00 00 00 00 00 00 00 00 9D 74 00 00 0F 00 |...........t....|
> 2007-12-11 08:18:08,667 ERROR [STDERR] byteCount=50 but readBytesWireFormat
> returned 26
> 2007-12-11 08:18:08,667 ERROR [STDERR] SmbComNegotiateResponse
> [command=SMB_COM_NEGOTIATE,received=false,errorCode=0,flags=0x0098,flags2=0xC00
> 3,signSeq=0,tid=0,pid=29853,uid=0,mid=15,wordCount=17,byteCount=50,wordCount=17
> ,dialectIndex=0,securityMode=0x7,security=user,encryptedPasswords=true,maxMpxCo
> unt=50,maxNumberVcs=1,maxBufferSize=16644,maxRawSize=65536,sessionKey=0x0000000
> 0,capabilities=0x0001F3FD,serverTime=Tue Dec 11 08:18:08 GMT
> 2007,serverTimeZone=65476,encryptionKeyLength=8,byteCount=50,encryptionKey=0x00
> 1867E63843EBA9,oemDomainName=RABODEVEU]
>
> 2007-12-11 08:18:08,667 ERROR [STDERR] 00000: FF 53 4D 42 72 00 00 00 00 98 03
> C0 00 00 00 00 |ÿSMBr......À....|
> 00010: 00 00 00 00 00 00 00 00 00 00 9D 74 00 00 0F 00 |...........t....|
> 00020: 11 00 00 07 32 00 01 00 04 41 00 00 00 00 01 |....2....A..... |
> 2007-12-11 08:18:08,667 ERROR [STDERR] treeConnect:
> unc=\\blahblah\IPC$,service=?????
> 2007-12-11 08:18:08,667 ERROR [STDERR] sessionSetup:
> accountName=blahblah,primaryDomain=blahblah
> 2007-12-11 08:18:08,667 ERROR [STDERR] SmbComSessionSetupAndX
> [command=SMB_COM_SESSION_SETUP_ANDX,received=false,errorCode=0,flags=0x0018,fla
> gs2=0xC003,signSeq=0,tid=0,pid=29853,uid=0,mid=16,wordCount=13,byteCount=121,an
> dxCommand=0x75,andxOffset=182,snd_buf_size=16644,maxMpxCount=10,VC_NUMBER=1,ses
> sionKey=0,passwordLength=24,unicodePasswordLength=24,capabilities=4180,accountN
> ame=blahblah,primaryDomain=blahblah,NATIVE_OS=Windows XP,NATIVE_LANMAN=jCIFS]
>
> 2007-12-11 08:18:08,667 ERROR [STDERR] SmbComTreeConnectAndX
> [command=SMB_COM_TREE_CONNECT_ANDX,received=false,errorCode=0,flags=0x0018,flag
> s2=0x0000,signSeq=0,tid=0,pid=29853,uid=0,mid=0,wordCount=4,byteCount=43,andxCo
> mmand=0xFF,andxOffset=0,disconnectTid=false,passwordLength=1,password=,path=\\b
> lahblah\IPC$,service=?????]
>
> 2007-12-11 08:18:08,667 ERROR [STDERR] 00000: FF 53 4D 42 73 00 00 00 00 18 03
> C0 00 00 00 00 |ÿSMBs......À....|
> 00010: 00 00 00 00 00 00 00 00 00 00 9D 74 00 00 10 00 |...........t....|
> 00020: 0D 75 00 B6 00 04 41 0A 00 01 00 00 00 00 00 18 |.u.¶..A.........|
> 00030: 00 18 00 00 00 00 00 54 10 00 00 79 00 CF 1D A5 |.......T...y.Ï.¥|
> 00040: FB E6 09 95 03 FB 93 DA CE 86 20 0E 48 EA 40 1E |ûæ...û.ÚÎ. .Hê@.|
> 00050: 9A 0D 0B F9 86 E8 D1 8C BC F2 6C AC 29 8A 1C 4F |...ù.èÑ.¼òl¬)..O|
> 00060: 07 78 59 44 02 EB 59 25 11 40 DC 5D 9C 00 6B 00 |.xYD.ëY%.@Ü]..k.|
> 00070: 69 00 6D 00 70 00 74 00 6F 00 6E 00 63 00 00 00 |i.m.p.t.o.n.c...|
> 00080: 52 00 41 00 42 00 4F 00 44 00 45 00 56 00 45 00 |R.A.B.O.D.E.V.E.|
> 00090: 55 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 |U...W.i.n.d.o.w.|
> 000A0: 73 00 20 00 58 00 50 00 00 00 6A 00 43 00 49 00 |s. .X.P...j.C.I.|
> 000B0: 46 00 53 00 00 00 04 FF 00 DE DE 00 00 01 00 2B |F.S....ÿ.ÞÞ....+|
> 000C0: 00 00 5C 00 5C 00 75 00 74 00 63 00 73 00 31 00 |..\.\.u.t.c.s.1.|
> 000D0: 31 00 31 00 64 00 31 00 32 00 5C 00 49 00 50 00 |1.1.d.1.2.\.I.P.|
> 000E0: 43 00 24 00 00 00 3F 3F 3F 3F 3F 00 |C.$...?????. |
> 2007-12-11 08:18:08,683 ERROR [STDERR] New data read: Transport1
> [utcs111d12/172.17.40.2:0]
> 2007-12-11 08:18:08,683 ERROR [STDERR] 00000: FF 53 4D 42 73 00 00 00 00 98 03
> C0 00 00 00 00 |ÿSMBs......À....|
> 00010: 00 00 00 00 00 00 00 00 01 08 9D 74 01 08 10 00 |...........t....|
> 2007-12-11 08:18:08,699 ERROR [STDERR] SmbComSessionSetupAndXResponse
> [command=SMB_COM_SESSION_SETUP_ANDX,received=false,errorCode=0,flags=0x0098,fla
> gs2=0xC003,signSeq=0,tid=2049,pid=29853,uid=2049,mid=16,wordCount=3,byteCount=1
> 48,andxCommand=0x75,andxOffset=189,isLoggedInAsGuest=false,nativeOs=Windows
> Server 2003 3790 Service Pack 2,nativeLanMan=Windows Server 2003
> 5.2,primaryDomain=RABODEVEU]
>
> 2007-12-11 08:18:08,699 ERROR [STDERR] 00000: FF 53 4D 42 73 00 00 00 00 98 03
> C0 00 00 00 00 |ÿSMBs......À....|
> 00010: 00 00 00 00 00 00 00 00 01 08 9D 74 01 08 10 00 |...........t....|
> 00020: 03 75 00 BD 00 00 00 94 00 41 57 00 69 00 6E 00 |.u.½.....AW.i.n.|
> 00030: 64 00 6F 00 77 00 73 00 20 00 53 00 65 00 72 00 |d.o.w.s. .S.e.r.|
> 00040: 76 00 65 00 72 00 20 00 32 00 30 00 30 00 33 00 |v.e.r. .2.0.0.3.|
> 00050: 20 00 33 00 37 00 39 00 30 00 20 00 53 00 65 00 | .3.7.9.0. .S.e.|
> 00060: 72 00 76 00 69 00 63 00 65 00 20 00 50 00 61 00 |r.v.i.c.e. .P.a.|
> 00070: 63 00 6B 00 20 00 32 00 00 00 57 00 69 00 6E 00 |c.k. .2...W.i.n.|
> 00080: 64 00 6F 00 77 00 73 00 20 00 53 00 65 00 72 00 |d.o.w.s. .S.e.r.|
> 00090: 76 00 65 00 72 00 20 00 32 00 30 00 30 00 33 00 |v.e.r. .2.0.0.3.|
> 000A0: 20 00 35 00 2E 00 32 00 00 00 52 00 41 00 42 00 | .5...2...R.A.B.|
> 000B0: 4F 00 44 00 45 00 56 00 45 00 55 00 00 03 FF 00 |O.D.E.V.E.U...ÿ.|
> 000C0: CC 00 01 00 06 00 49 50 43 00 00 00 |Ì.....IPC... |
> 2007-12-11 08:18:08,699 ERROR [STDERR] NtlmHttpFilter: blahblah successfully
> authenticated against blahblah
>
> 2007-12-11 08:18:09,574 ERROR [STDERR] NtlmHttpFilter: blahblah successfully
> authenticated against blahblah
>
>
>
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/
More information about the jcifs
mailing list