[jcifs] JCIFS Authentication Problem with Second User

Stover, Beth BStover at NorcalMutual.com
Wed Jul 11 23:25:42 GMT 2007 

Hi Thomas,

Thanks for the reply.  I just tried disabling the local policy, Microsoft network server: Digitally sign communications (if client
agrees), and that didn't seem to help.  Microsoft network server: Digitally sign communications (always) was already disabled.

Any other thoughts?

Thanks again ...


Beth


-----Original Message-----
From: Thomas Bley [mailto:thbley at gmail.com] On Behalf Of Thomas Bley
Sent: Wednesday, July 11, 2007 4:01 PM
To: Stover, Beth
Cc: jcifs at lists.samba.org
Subject: Re: [jcifs] JCIFS Authentication Problem with Second User

Hello Beth,

have you tried to disable "signing" on the Win2k3 R2 server ?
If not, can you try (see screenshot):
- Microsoft network server: Digitally sign communications (always): set it to Disabled
- Microsoft network server: Digitally sign communications (if client
agrees): set it to Disabled
and restart the server.

bye
Thomas


Stover, Beth wrote:
>
> I'm hoping to get some help with an authentication issue with tomcat, 
> NTLM and IIS.  My apologies for the long post.
> We purchased a 3rd party application that runs an embedded Tomcat 
> server. Tomcat runs a web application for reporting. It uses JCIFS as 
> a connection mechanism. The application writes and reads to a SQL 
> Server 2005 database. Security is controlled through Active Directory.
> IIS 6.0 is the web server with an application pool configured. Somehow 
> the application pool and tomcat work together. I'm still not clear on 
> that part.
> The OS is Windows 2003 R2 SP1. IIS is configured with Windows 
> Integrated authentication. Tomcat is configured to use the NTLM HTTP 
> authentication to our Domain as well.
> Users are domain users and have all the necessary permission to access 
> resources -- SQL, website, app pool, etc.
> Using jcifs-1.2.0.jar library.  I tried replacing it with the newest 
> one, jcifs-1.2.14.jar, and that didn't help.
> The problem:
> A user can access the reporting website using the URL 
> _http://servername:portnumber_.
> The user is automatically authenticated and can get to everything she 
> needs.
> HOWEVER, if a 2nd user attempts to log in to the reporting website, 
> the user is prompted for a username and password, but the credentials 
> do not work. This same user could log on later when the first user 
> logs off. Sometimes it all works fine. Other times, this problem 
> happens.
> When the problem occurs, the login prompt window has this title:
> *"connect to JCIFS1_148_60 in <My Domain Name>"* This leads me to 
> believe the problem has to do with the Tomcat configuration -- maybe a 
> problem with session limits?
> We've repeated this with both IE and Firefox.  We've adjusted the 
> security zone settings in IE, and that doesn't help.  I've also tried 
> quite a few changes in the web.xml file based on the API index 
> information I got here:
>
> _http://jcifs.samba.org/src/docs/api/index.html_
> Here's an excerpt from my web.xml:
>
> *    <filter>*
> *        <filter-name>NTLM HTTP Authentication Filter</filter-name>*
> *        <filter-class>jcifs.http.NtlmHttpFilter</filter-class>*
> *        <!--init-param>*
> *            <param-name>jcifs.http.domainController</param-name>*
> *            <param-value>10.10.10.10</param-value>*
> *        </init-param-->*
> *        <init-param>*
> *            <param-name>jcifs.netbios.lookupRespLimit</param-name>*
> *            <param-value>1</param-value>*
> *        </init-param>*
> *        <init-param>*
> *            <param-name>jcifs.util.loglevel</param-name>*
> *            <param-value>4</param-value>*
> *        </init-param>*
> *        <init-param>*
> *            <param-name>jcifs.encoding</param-name>*
> *            <param-value>cp1252</param-value>*
> *        </init-param>*
> *          <init-param>*
> *            <param-name>jcifs.smb.client.domain</param-name>*
> *            <param-value>mydomain</param-value>*
> *        </init-param>*
> *                <!-- optional parameters, uncomment as required -->*
> *                <!-- if WINS is used, this parameter should be used 
> instead of the jcfis.http.domainController parameter above -->*
>
> *                <init-param>*
> *            <param-name>jcifs.netbios.wins</param-name>*
> *            <param-value>10.10.10.11</param-value>*
> *        </init-param> *
> *                <!-- try the following with value 1 through to 3 if 
> you are getting the JCIFS authentication dialog box popping up when 
> you try to access Reporter -->*
>
> *                <init-param>*
> *            <param-name>jcifs.smb.lmCompatibility</param-name>*
> *            <param-value>0</param-value>*
> *        </init-param> *
> *                <!-- as an extreme last ditch effort, try to 
> authenticate by a shared folder on the server, if you are installing 
> on the same server as Hydra Manager you can try the Hydra folder -->*
>
> *                <!-- <init-param>*
> *            <param-name>jcifs.smb.client.logonShare</param-name>*
> *            <param-value>*name of shared directory*</param-value>*
> *        </init-param> -->*
>
> I see this in the stdout.log:
>
> *NtlmHttpFilter: domainname\username: 0xC0000022: 
> jcifs.smb.SmbAuthException: Access is denied.*
> *java.net.SocketException: Connection reset*
> *        at java.net.SocketInputStream.read(Unknown Source)*
> *        at jcifs.util.transport.Transport.readn(Transport.java:29)*
> *        at jcifs.smb.SmbTransport.peekKey(SmbTransport.java:317)*
> *        at jcifs.util.transport.Transport.loop(Transport.java:89)*
> *        at jcifs.util.transport.Transport.run(Transport.java:229)*
> *        at java.lang.Thread.run(Unknown Source)*
> *New data read: Transport1[domainname<1C>/10.1.1.104:0]*
> *00000: FF 53 4D 42 72 00 00 00 00 98 03 C0 00 00 00 00
> |ÿSMBr......À....|*
> *00010: 00 00 00 00 00 00 00 00 00 00 27 04 00 00 0A 00
> |..........'.....|*
>
> *byteCount=42 but readBytesWireFormat returned 20*
> *Default credentials (jcifs.smb.client.username/password) not 
> specified. SMB signing may not work properly.  Skipping DC interrogation.*
>
> *treeConnect: unc=\\domainname$,service=?????*
> *sessionSetup: accountName=username,primaryDomain=doaminname*
> *New data read: Transport1[domainname<1C>/10.1.1.104:0]*
> *00000: FF 53 4D 42 73 00 00 00 00 98 07 C0 00 00 9D 76  
> |ÿSMBs......À...v|*
> *00010: AE 42 14 A0 37 2B 00 00 07 B0 27 04 03 E0 0B 00  
> |®B. 7+...°'..à..|*
>
> "Access is denied" message would seem to point to incorrect 
> credentials, but I know the credentials are correct because the user 
> can log in when no other users are logged in.  The problem only occurs 
> when multiple users try to connect to the web application.
>
> I also tried setting up 'preauthentication' using the appropriate 
> entries in the web.xml, but that didn't work either.  I tried changing 
> web.xml so that multiple domain controllers are used.  I tried editing 
> so that wins is not used.
>
> I did a packet capture on the failed session, and I see this repeat 
> over and over:
> *HTTP/1.1 401 Unauthorized WWW-Authenticate: NTLM Content-Length: 0 
> Date: Wed, 11 Jul 2007 21:38:46 GMT Server: Apache-Coyote/1.1*
>
> Any ideas? Any help would be very appreciated
>
>
> *Beth*
>
>

More information about the jcifs mailing list