[jcifs] JCIFS Authentication Problem with Second User
Stover, Beth
BStover at NorcalMutual.com
Wed Jul 11 22:31:16 GMT 2007
I'm hoping to get some help with an authentication issue with tomcat, NTLM and IIS. My apologies for the long post.
We purchased a 3rd party application that runs an embedded Tomcat
server. Tomcat runs a web application for reporting. It uses JCIFS as a connection mechanism. The application writes and
reads to a SQL Server 2005 database. Security is controlled through Active Directory.
IIS 6.0 is the web server with an application pool configured. Somehow the
application pool and tomcat work together. I'm still not clear on that
part.
The OS is Windows 2003 R2 SP1. IIS is configured with Windows Integrated
authentication. Tomcat is configured to use the NTLM HTTP authentication to our Domain as well.
Users are domain users and have all the necessary permission to access
resources -- SQL, website, app pool, etc.
Using jcifs-1.2.0.jar library. I tried replacing it with the newest one, jcifs-1.2.14.jar, and that didn't help.
The problem:
A user can access the reporting website using the URL http://servername:portnumber.
The user is automatically authenticated and can get to everything she
needs.
HOWEVER, if a 2nd user attempts to log in to the reporting
website, the user is prompted for a username and password, but the
credentials do not work. This same user could log on later when the
first user logs off. Sometimes it all works fine. Other times, this
problem happens.
When the problem occurs, the login prompt window has this title:
"connect to JCIFS1_148_60 in <My Domain Name>"
This leads me to believe the problem has to do with the Tomcat configuration -- maybe a problem with session limits?
We've repeated this with both IE and Firefox. We've adjusted the security zone settings in IE, and that doesn't help. I've also tried quite a few changes in the web.xml file based on the API index information I got here:
http://jcifs.samba.org/src/docs/api/index.html
Here's an excerpt from my web.xml:
<filter>
<filter-name>NTLM HTTP Authentication Filter</filter-name>
<filter-class>jcifs.http.NtlmHttpFilter</filter-class>
<!--init-param>
<param-name>jcifs.http.domainController</param-name>
<param-value>10.10.10.10</param-value>
</init-param-->
<init-param>
<param-name>jcifs.netbios.lookupRespLimit</param-name>
<param-value>1</param-value>
</init-param>
<init-param>
<param-name>jcifs.util.loglevel</param-name>
<param-value>4</param-value>
</init-param>
<init-param>
<param-name>jcifs.encoding</param-name>
<param-value>cp1252</param-value>
</init-param>
<init-param>
<param-name>jcifs.smb.client.domain</param-name>
<param-value>mydomain</param-value>
</init-param>
<!-- optional parameters, uncomment as required -->
<!-- if WINS is used, this parameter should be used instead of the jcfis.http.domainController parameter above -->
<init-param>
<param-name>jcifs.netbios.wins</param-name>
<param-value>10.10.10.11</param-value>
</init-param>
<!-- try the following with value 1 through to 3 if you are getting the JCIFS authentication dialog box popping up when you try to access Reporter -->
<init-param>
<param-name>jcifs.smb.lmCompatibility</param-name>
<param-value>0</param-value>
</init-param>
<!-- as an extreme last ditch effort, try to authenticate by a shared folder on the server, if you are installing on the same server as Hydra Manager you can try the Hydra folder -->
<!-- <init-param>
<param-name>jcifs.smb.client.logonShare</param-name>
<param-value>*name of shared directory*</param-value>
</init-param> -->
I see this in the stdout.log:
NtlmHttpFilter: domainname\username: 0xC0000022: jcifs.smb.SmbAuthException: Access is denied.
java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(Unknown Source)
at jcifs.util.transport.Transport.readn(Transport.java:29)
at jcifs.smb.SmbTransport.peekKey(SmbTransport.java:317)
at jcifs.util.transport.Transport.loop(Transport.java:89)
at jcifs.util.transport.Transport.run(Transport.java:229)
at java.lang.Thread.run(Unknown Source)
New data read: Transport1[domainname<1C>/10.1.1.104:0]
00000: FF 53 4D 42 72 00 00 00 00 98 03 C0 00 00 00 00 |ÿSMBr......À....|
00010: 00 00 00 00 00 00 00 00 00 00 27 04 00 00 0A 00 |..........'.....|
byteCount=42 but readBytesWireFormat returned 20
Default credentials (jcifs.smb.client.username/password) not specified. SMB signing may not work properly. Skipping DC interrogation.
treeConnect: unc=\\domainname$,service=?????
sessionSetup: accountName=username,primaryDomain=doaminname
New data read: Transport1[domainname<1C>/10.1.1.104:0]
00000: FF 53 4D 42 73 00 00 00 00 98 07 C0 00 00 9D 76 |ÿSMBs......À...v|
00010: AE 42 14 A0 37 2B 00 00 07 B0 27 04 03 E0 0B 00 |®B. 7+...°'..à..|
"Access is denied" message would seem to point to incorrect credentials, but I know the credentials are correct because the user can log in when no other users are logged in. The problem only occurs when multiple users try to connect to the web application.
I also tried setting up 'preauthentication' using the appropriate entries in the web.xml, but that didn't work either. I tried changing web.xml so that multiple domain controllers are used. I tried editing so that wins is not used.
I did a packet capture on the failed session, and I see this repeat over and over:
HTTP/1.1 401 Unauthorized WWW-Authenticate: NTLM Content-Length: 0 Date: Wed, 11 Jul 2007 21:38:46 GMT Server: Apache-Coyote/1.1
Any ideas? Any help would be very appreciated
Beth
-------------- next part --------------
HTML attachment scrubbed and removed
More information about the jcifs
mailing list