[jcifs] Re: JCIFS Authentication Problem with Second User
(ThomasBley)
Michael B Allen
miallen at ioplex.com
Sat Jul 14 07:11:45 GMT 2007
This is not a good solution because it assumes two user's will not
authenticate within 500ms AND it assumes that the DC can respond
within 500ms. Both assumptions are false.
OTOH don't ask me what the problem is because I don't know. I can only
guess that the operator is using a very old version of JCIFS that had
broken signing.
Mike
On Fri, 13 Jul 2007 10:28:19 -0700
"Stover, Beth" <BStover at NorcalMutual.com> wrote:
> This resolved the problem. Thank you!
>
> If you're anywhere near SF, then I owe you a beer.
>
> Cheers!
>
>
> Beth
>
>
>
> ________________________________
>
> From: jcifs-bounces+bstover=norcalmutual.com at lists.samba.org [mailto:jcifs-bounces+bstover=norcalmutual.com at lists.samba.org] On Behalf Of Agustin Rodriguez
> Sent: Thursday, July 12, 2007 2:32 PM
> To: jcifs at lists.samba.org
> Subject: [jcifs] Re: JCIFS Authentication Problem with Second User (ThomasBley)
>
>
> I ran into this problem as well and the way I was able to correct it is to set up the timeout property to 500ms
>
> <init-param>
> <param-name>jcifs.smb.client.soTimeout</param-name>
> <param-value>500</param-value>
> </init-param>
>
>
>
> On 7/11/07, jcifs-request at lists.samba.org <jcifs-request at lists.samba.org > wrote:
>
> Send jcifs mailing list submissions to
> jcifs at lists.samba.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.samba.org/mailman/listinfo/jcifs
> or, via email, send a message with subject or body 'help' to
> jcifs-request at lists.samba.org
>
> You can reach the person managing the list at
> jcifs-owner at lists.samba.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of jcifs digest..."
>
>
> Today's Topics:
>
> 1. Re: JCIFS Authentication Problem with Second User (Thomas Bley)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 12 Jul 2007 01:01:15 +0200
> From: Thomas Bley <thomas.bley at simple-groupware.de >
> Subject: Re: [jcifs] JCIFS Authentication Problem with Second User
> To: "Stover, Beth" <BStover at NorcalMutual.com>
> Cc: jcifs at lists.samba.org
> Message-ID: <4695613B.3080002 at simple-groupware.de>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hello Beth,
>
> have you tried to disable "signing" on the Win2k3 R2 server ?
> If not, can you try (see screenshot):
> - Microsoft network server: Digitally sign communications (always): set
> it to Disabled
> - Microsoft network server: Digitally sign communications (if client
> agrees): set it to Disabled
> and restart the server.
>
> bye
> Thomas
>
>
> Stover, Beth wrote:
> >
> > I'm hoping to get some help with an authentication issue with tomcat,
> > NTLM and IIS. My apologies for the long post.
> > We purchased a 3rd party application that runs an embedded Tomcat
> > server. Tomcat runs a web application for reporting. It uses JCIFS as
> > a connection mechanism. The application writes and
> > reads to a SQL Server 2005 database. Security is controlled through
> > Active Directory.
> > IIS 6.0 is the web server with an application pool configured. Somehow the
> > application pool and tomcat work together. I'm still not clear on that
> > part.
> > The OS is Windows 2003 R2 SP1. IIS is configured with Windows Integrated
> > authentication. Tomcat is configured to use the NTLM HTTP
> > authentication to our Domain as well.
> > Users are domain users and have all the necessary permission to access
> > resources -- SQL, website, app pool, etc.
> > Using jcifs-1.2.0.jar library. I tried replacing it with the newest
> > one, jcifs-1.2.14.jar, and that didn't help.
> > The problem:
> > A user can access the reporting website using the URL
> > _http://servername:portnumber_.
> > The user is automatically authenticated and can get to everything she
> > needs.
> > HOWEVER, if a 2nd user attempts to log in to the reporting
> > website, the user is prompted for a username and password, but the
> > credentials do not work. This same user could log on later when the
> > first user logs off. Sometimes it all works fine. Other times, this
> > problem happens.
> > When the problem occurs, the login prompt window has this title:
> > *"connect to JCIFS1_148_60 in <My Domain Name>"*
> > This leads me to believe the problem has to do with the Tomcat
> > configuration -- maybe a problem with session limits?
> > We've repeated this with both IE and Firefox. We've adjusted the
> > security zone settings in IE, and that doesn't help. I've also tried
> > quite a few changes in the web.xml file based on the API index
> > information I got here:
> >
> > _http://jcifs.samba.org/src/docs/api/index.html_
> > Here's an excerpt from my web.xml:
> >
> > * <filter>*
> > * <filter-name>NTLM HTTP Authentication Filter</filter-name>*
> > * <filter-class>jcifs.http.NtlmHttpFilter </filter-class>*
> > * <!--init-param>*
> > * <param-name>jcifs.http.domainController</param-name>*
> > * <param-value>10.10.10.10 </param-value>*
> > * </init-param-->*
> > * <init-param>*
> > * <param-name>jcifs.netbios.lookupRespLimit</param-name>*
> > * <param-value>1</param-value>*
> > * </init-param>*
> > * <init-param>*
> > * <param-name>jcifs.util.loglevel</param-name>*
> > * <param-value>4</param-value>*
> > * </init-param>*
> > * <init-param>*
> > * <param-name>jcifs.encoding</param-name>*
> > * <param-value>cp1252</param-value>*
> > * </init-param>*
> > * <init-param>*
> > * <param-name>jcifs.smb.client.domain</param-name>*
> > * <param-value>mydomain</param-value>*
> > * </init-param>*
> > * <!-- optional parameters, uncomment as required -->*
> > * <!-- if WINS is used, this parameter should be used
> > instead of the jcfis.http.domainController parameter above -->*
> >
> > * <init-param>*
> > * <param-name>jcifs.netbios.wins</param-name>*
> > * <param-value>10.10.10.11</param-value>*
> > * </init-param> *
> > * <!-- try the following with value 1 through to 3 if
> > you are getting the JCIFS authentication dialog box popping up when
> > you try to access Reporter -->*
> >
> > * <init-param>*
> > * <param-name>jcifs.smb.lmCompatibility</param-name>*
> > * <param-value>0</param-value>*
> > * </init-param> *
> > * <!-- as an extreme last ditch effort, try to
> > authenticate by a shared folder on the server, if you are installing
> > on the same server as Hydra Manager you can try the Hydra folder -->*
> >
> > * <!-- <init-param>*
> > * <param-name>jcifs.smb.client.logonShare</param-name>*
> > * <param-value>*name of shared directory*</param-value>*
> > * </init-param> -->*
> >
> > I see this in the stdout.log:
> >
> > *NtlmHttpFilter: domainname\username: 0xC0000022:
> > jcifs.smb.SmbAuthException: Access is denied.*
> > * java.net.SocketException: Connection reset*
> > * at java.net.SocketInputStream.read(Unknown Source)*
> > * at jcifs.util.transport.Transport.readn(Transport.java:29)*
> > * at jcifs.smb.SmbTransport.peekKey (SmbTransport.java:317)*
> > * at jcifs.util.transport.Transport.loop(Transport.java:89)*
> > * at jcifs.util.transport.Transport.run(Transport.java:229)*
> > * at java.lang.Thread.run(Unknown Source)*
> > *New data read: Transport1[domainname<1C>/10.1.1.104:0]*
> > *00000: FF 53 4D 42 72 00 00 00 00 98 03 C0 00 00 00 00
> > |ÿSMBr......À....|*
> > *00010: 00 00 00 00 00 00 00 00 00 00 27 04 00 00 0A 00
> > |..........'.....|*
> >
> > *byteCount=42 but readBytesWireFormat returned 20*
> > *Default credentials (jcifs.smb.client.username/password) not
> > specified. SMB signing may not work properly. Skipping DC interrogation.*
> >
> > *treeConnect: unc=\\domainname$,service=?????*
> > *sessionSetup: accountName=username,primaryDomain=doaminname*
> > *New data read: Transport1[domainname<1C>/10.1.1.104:0]*
> > *00000: FF 53 4D 42 73 00 00 00 00 98 07 C0 00 00 9D 76
> > |ÿSMBs......À...v|*
> > *00010: AE 42 14 A0 37 2B 00 00 07 B0 27 04 03 E0 0B 00
> > |®B. 7+...°'..à..|*
> >
> > "Access is denied" message would seem to point to incorrect
> > credentials, but I know the credentials are correct because the user
> > can log in when no other users are logged in. The problem only occurs
> > when multiple users try to connect to the web application.
> >
> > I also tried setting up 'preauthentication' using the appropriate
> > entries in the web.xml, but that didn't work either. I tried changing
> > web.xml so that multiple domain controllers are used. I tried editing
> > so that wins is not used.
> >
> > I did a packet capture on the failed session, and I see this repeat
> > over and over:
> > *HTTP/1.1 401 Unauthorized WWW-Authenticate: NTLM Content-Length: 0
> > Date: Wed, 11 Jul 2007 21:38:46 GMT Server: Apache-Coyote/1.1*
> >
> > Any ideas? Any help would be very appreciated
> >
> >
> > *Beth*
> >
> >
>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: signing.png
> Type: image/png
> Size: 16715 bytes
> Desc: not available
> Url : http://lists.samba.org/archive/jcifs/attachments/20070712/4b2d8616/signing.png
>
> ------------------------------
>
> _______________________________________________
> jcifs mailing list
> jcifs at lists.samba.org
> https://lists.samba.org/mailman/listinfo/jcifs
>
>
> End of jcifs Digest, Vol 55, Issue 6
> ************************************
>
>
>
>
>
--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/
More information about the jcifs
mailing list