[jcifs] JCIFS Authentication Problem with Second User
Stover, Beth
BStover at NorcalMutual.com
Thu Jul 12 15:58:04 GMT 2007
It's a domain member but not a domain controller. The default domain policy doesn't re-enable signing. I tried restarting tomcat and the server itself, and that didn't seem to help.
I noticed event log errors after disabling Microsoft network server: Digitally sign communications (if client agrees). These are application errors -- "(401) unauthorized." Also, after making the change to the local policy, I can't log into the server using the remote desktop client as domain admin. Local admin works fine. When I try to log in as domain admin, I get a weird pop-up:
"The system cannot log you on due to the following error: Access is denied."
Beth
-----Original Message-----
From: Thomas Bley [mailto:thbley at gmail.com] On Behalf Of Thomas Bley
Sent: Wednesday, July 11, 2007 4:32 PM
To: Stover, Beth
Subject: Re: [jcifs] JCIFS Authentication Problem with Second User
Is the win2k3 r2 machein a domain controller ? (if yes, domain controller security policy also needs to be changed) Have you restarted the tomcat server ?
Stover, Beth wrote:
> Hi Thomas,
>
> Thanks for the reply. I just tried disabling the local policy,
> Microsoft network server: Digitally sign communications (if client agrees), and that didn't seem to help. Microsoft network server: Digitally sign communications (always) was already disabled.
>
> Any other thoughts?
>
> Thanks again ...
>
>
> Beth
>
>
> -----Original Message-----
> From: Thomas Bley [mailto:thbley at gmail.com] On Behalf Of Thomas Bley
> Sent: Wednesday, July 11, 2007 4:01 PM
> To: Stover, Beth
> Cc: jcifs at lists.samba.org
> Subject: Re: [jcifs] JCIFS Authentication Problem with Second User
>
> Hello Beth,
>
> have you tried to disable "signing" on the Win2k3 R2 server ?
> If not, can you try (see screenshot):
> - Microsoft network server: Digitally sign communications (always):
> set it to Disabled
> - Microsoft network server: Digitally sign communications (if client
> agrees): set it to Disabled
> and restart the server.
>
> bye
> Thomas
>
>
> Stover, Beth wrote:
>
>> I'm hoping to get some help with an authentication issue with tomcat,
>> NTLM and IIS. My apologies for the long post.
>> We purchased a 3rd party application that runs an embedded Tomcat
>> server. Tomcat runs a web application for reporting. It uses JCIFS as
>> a connection mechanism. The application writes and reads to a SQL
>> Server 2005 database. Security is controlled through Active Directory.
>> IIS 6.0 is the web server with an application pool configured.
>> Somehow the application pool and tomcat work together. I'm still not
>> clear on that part.
>> The OS is Windows 2003 R2 SP1. IIS is configured with Windows
>> Integrated authentication. Tomcat is configured to use the NTLM HTTP
>> authentication to our Domain as well.
>> Users are domain users and have all the necessary permission to
>> access resources -- SQL, website, app pool, etc.
>> Using jcifs-1.2.0.jar library. I tried replacing it with the newest
>> one, jcifs-1.2.14.jar, and that didn't help.
>> The problem:
>> A user can access the reporting website using the URL
>> _http://servername:portnumber_.
>> The user is automatically authenticated and can get to everything she
>> needs.
>> HOWEVER, if a 2nd user attempts to log in to the reporting website,
>> the user is prompted for a username and password, but the credentials
>> do not work. This same user could log on later when the first user
>> logs off. Sometimes it all works fine. Other times, this problem
>> happens.
>> When the problem occurs, the login prompt window has this title:
>> *"connect to JCIFS1_148_60 in <My Domain Name>"* This leads me to
>> believe the problem has to do with the Tomcat configuration -- maybe
>> a problem with session limits?
>> We've repeated this with both IE and Firefox. We've adjusted the
>> security zone settings in IE, and that doesn't help. I've also tried
>> quite a few changes in the web.xml file based on the API index
>> information I got here:
>>
>> _http://jcifs.samba.org/src/docs/api/index.html_
>> Here's an excerpt from my web.xml:
>>
>> * <filter>*
>> * <filter-name>NTLM HTTP Authentication Filter</filter-name>*
>> * <filter-class>jcifs.http.NtlmHttpFilter</filter-class>*
>> * <!--init-param>*
>> * <param-name>jcifs.http.domainController</param-name>*
>> * <param-value>10.10.10.10</param-value>*
>> * </init-param-->*
>> * <init-param>*
>> * <param-name>jcifs.netbios.lookupRespLimit</param-name>*
>> * <param-value>1</param-value>*
>> * </init-param>*
>> * <init-param>*
>> * <param-name>jcifs.util.loglevel</param-name>*
>> * <param-value>4</param-value>*
>> * </init-param>*
>> * <init-param>*
>> * <param-name>jcifs.encoding</param-name>*
>> * <param-value>cp1252</param-value>*
>> * </init-param>*
>> * <init-param>*
>> * <param-name>jcifs.smb.client.domain</param-name>*
>> * <param-value>mydomain</param-value>*
>> * </init-param>*
>> * <!-- optional parameters, uncomment as required -->*
>> * <!-- if WINS is used, this parameter should be used
>> instead of the jcfis.http.domainController parameter above -->*
>>
>> * <init-param>*
>> * <param-name>jcifs.netbios.wins</param-name>*
>> * <param-value>10.10.10.11</param-value>*
>> * </init-param> *
>> * <!-- try the following with value 1 through to 3 if
>> you are getting the JCIFS authentication dialog box popping up when
>> you try to access Reporter -->*
>>
>> * <init-param>*
>> * <param-name>jcifs.smb.lmCompatibility</param-name>*
>> * <param-value>0</param-value>*
>> * </init-param> *
>> * <!-- as an extreme last ditch effort, try to
>> authenticate by a shared folder on the server, if you are installing
>> on the same server as Hydra Manager you can try the Hydra folder -->*
>>
>> * <!-- <init-param>*
>> * <param-name>jcifs.smb.client.logonShare</param-name>*
>> * <param-value>*name of shared directory*</param-value>*
>> * </init-param> -->*
>>
>> I see this in the stdout.log:
>>
>> *NtlmHttpFilter: domainname\username: 0xC0000022:
>> jcifs.smb.SmbAuthException: Access is denied.*
>> *java.net.SocketException: Connection reset*
>> * at java.net.SocketInputStream.read(Unknown Source)*
>> * at jcifs.util.transport.Transport.readn(Transport.java:29)*
>> * at jcifs.smb.SmbTransport.peekKey(SmbTransport.java:317)*
>> * at jcifs.util.transport.Transport.loop(Transport.java:89)*
>> * at jcifs.util.transport.Transport.run(Transport.java:229)*
>> * at java.lang.Thread.run(Unknown Source)*
>> *New data read: Transport1[domainname<1C>/10.1.1.104:0]*
>> *00000: FF 53 4D 42 72 00 00 00 00 98 03 C0 00 00 00 00
>> |ÿSMBr......À....|*
>> *00010: 00 00 00 00 00 00 00 00 00 00 27 04 00 00 0A 00
>> |..........'.....|*
>>
>> *byteCount=42 but readBytesWireFormat returned 20* *Default
>> credentials (jcifs.smb.client.username/password) not specified. SMB
>> signing may not work properly. Skipping DC interrogation.*
>>
>> *treeConnect: unc=\\domainname$,service=?????*
>> *sessionSetup: accountName=username,primaryDomain=doaminname*
>> *New data read: Transport1[domainname<1C>/10.1.1.104:0]*
>> *00000: FF 53 4D 42 73 00 00 00 00 98 07 C0 00 00 9D 76
>> |ÿSMBs......À...v|*
>> *00010: AE 42 14 A0 37 2B 00 00 07 B0 27 04 03 E0 0B 00
>> |®B. 7+...°'..à..|*
>>
>> "Access is denied" message would seem to point to incorrect
>> credentials, but I know the credentials are correct because the user
>> can log in when no other users are logged in. The problem only
>> occurs when multiple users try to connect to the web application.
>>
>> I also tried setting up 'preauthentication' using the appropriate
>> entries in the web.xml, but that didn't work either. I tried
>> changing web.xml so that multiple domain controllers are used. I
>> tried editing so that wins is not used.
>>
>> I did a packet capture on the failed session, and I see this repeat
>> over and over:
>> *HTTP/1.1 401 Unauthorized WWW-Authenticate: NTLM Content-Length: 0
>> Date: Wed, 11 Jul 2007 21:38:46 GMT Server: Apache-Coyote/1.1*
>>
>> Any ideas? Any help would be very appreciated
>>
>>
>> *Beth*
>>
>>
>>
>
>
>
>
More information about the jcifs
mailing list