[jcifs] RE: JCIFS Authentication Problem with Second User (Thomas Bley)

Stover, Beth BStover at NorcalMutual.com
Mon Jul 16 16:25:15 GMT 2007


My web app is only being accessed by 20 people.  It's been working for me since I made the change. 


Beth Stover
Systems Administrator
415.395.8768


-----Original Message-----
From: Agustin Rodriguez [mailto:agrodrig at gmail.com] 
Sent: Saturday, July 14, 2007 2:28 PM
To: Michael B Allen; Stover, Beth; jcifs at lists.samba.org
Subject: Re: JCIFS Authentication Problem with Second User (Thomas Bley)

I agree with your observation, however if you are looking for authentication requirements for high volume trafic application JCIFS may not be the best option.

Currently, my implementation of JCIFS supports a user base of 2100 corporate users that can be authenticated at any one time during the course of the day.


So far no issues with this particular setup.




On 7/14/07, Michael B Allen <miallen at ioplex.com> wrote:
> This is not a good solution because it assumes two user's will not 
> authenticate within 500ms AND it assumes that the DC can respond 
> within 500ms. Both assumptions are false.
>
> OTOH don't ask me what the problem is because I don't know. I can only 
> guess that the operator is using a very old version of JCIFS that had 
> broken signing.
>
> Mike
>
> On Fri, 13 Jul 2007 10:28:19 -0700
> "Stover, Beth" <BStover at NorcalMutual.com> wrote:
>
> > This resolved the problem. Thank you!
> >
> > If you're anywhere near SF, then I owe you a beer.
> >
> > Cheers!
> >
> >
> > Beth
> >
> >
> >
> > ________________________________
> >
> > From: jcifs-bounces+bstover=norcalmutual.com at lists.samba.org
> [mailto:jcifs-bounces+bstover=norcalmutual.com at lists.samba.org] On 
> Behalf Of Agustin Rodriguez
> > Sent: Thursday, July 12, 2007 2:32 PM
> > To: jcifs at lists.samba.org
> > Subject: [jcifs] Re: JCIFS Authentication Problem with Second User
> (ThomasBley)
> >
> >
> > I ran into this problem as well and the way I was able to correct it 
> > is to
> set up the timeout property to 500ms
> >
> > <init-param>
> >       <param-name>jcifs.smb.client.soTimeout</param-name>
> >       <param-value>500</param-value> </init-param>
> >
> >
> >
> > On 7/11/07, jcifs-request at lists.samba.org <jcifs-request at lists.samba.org >
> wrote:
> >
> > 	Send jcifs mailing list submissions to
> > 	       jcifs at lists.samba.org
> > 	
> > 	To subscribe or unsubscribe via the World Wide Web, visit
> > 	       https://lists.samba.org/mailman/listinfo/jcifs
> > 	or, via email, send a message with subject or body 'help' to
> > 	       jcifs-request at lists.samba.org
> > 	
> > 	You can reach the person managing the list at
> > 	       jcifs-owner at lists.samba.org
> > 	
> > 	When replying, please edit your Subject line so it is more specific
> > 	than "Re: Contents of jcifs digest..."
> > 	
> > 	
> > 	Today's Topics:
> > 	
> > 	  1. Re: JCIFS Authentication Problem with Second User (Thomas Bley)
> > 	
> > 	
> > 	----------------------------------------------------------------------
> > 	
> > 	Message: 1
> > 	Date: Thu, 12 Jul 2007 01:01:15 +0200
> > 	From: Thomas Bley <thomas.bley at simple-groupware.de >
> > 	Subject: Re: [jcifs] JCIFS Authentication Problem with Second User
> > 	To: "Stover, Beth" <BStover at NorcalMutual.com>
> > 	Cc: jcifs at lists.samba.org
> > 	Message-ID: <4695613B.3080002 at simple-groupware.de>
> > 	Content-Type: text/plain; charset="iso-8859-1"
> > 	
> > 	Hello Beth,
> > 	
> > 	have you tried to disable "signing" on the Win2k3 R2 server ?
> > 	If not, can you try (see screenshot):
> > 	- Microsoft network server: Digitally sign communications (always): set
> > 	it to Disabled
> > 	- Microsoft network server: Digitally sign communications (if client
> > 	agrees): set it to Disabled
> > 	and restart the server.
> > 	
> > 	bye
> > 	Thomas
> > 	
> > 	
> > 	Stover, Beth wrote:
> > 	>
> > 	> I'm hoping to get some help with an authentication issue with tomcat,
> > 	> NTLM and IIS.  My apologies for the long post.
> > 	> We purchased a 3rd party application that runs an embedded Tomcat
> > 	> server. Tomcat runs a web application for reporting. It uses JCIFS as
> > 	> a connection mechanism. The application writes and
> > 	> reads to a SQL Server 2005 database. Security is controlled through
> > 	> Active Directory.
> > 	> IIS 6.0 is the web server with an application pool configured. Somehow
> the
> > 	> application pool and tomcat work together. I'm still not clear on that
> > 	> part.
> > 	> The OS is Windows 2003 R2 SP1. IIS is configured with Windows
> Integrated
> > 	> authentication. Tomcat is configured to use the NTLM HTTP
> > 	> authentication to our Domain as well.
> > 	> Users are domain users and have all the necessary permission to access
> > 	> resources -- SQL, website, app pool, etc.
> > 	> Using jcifs-1.2.0.jar library.  I tried replacing it with the newest
> > 	> one, jcifs-1.2.14.jar, and that didn't help.
> > 	> The problem:
> > 	> A user can access the reporting website using the URL
> > 	> _http://servername:portnumber_.
> > 	> The user is automatically authenticated and can get to everything she
> > 	> needs.
> > 	> HOWEVER, if a 2nd user attempts to log in to the reporting
> > 	> website, the user is prompted for a username and password, but the
> > 	> credentials do not work. This same user could log on later when the
> > 	> first user logs off. Sometimes it all works fine. Other times, this
> > 	> problem happens.
> > 	> When the problem occurs, the login prompt window has this title:
> > 	> *"connect to JCIFS1_148_60 in <My Domain Name>"*
> > 	> This leads me to believe the problem has to do with the Tomcat
> > 	> configuration -- maybe a problem with session limits?
> > 	> We've repeated this with both IE and Firefox.  We've adjusted the
> > 	> security zone settings in IE, and that doesn't help.  I've also tried
> > 	> quite a few changes in the web.xml file based on the API index
> > 	> information I got here:
> > 	>
> > 	> _http://jcifs.samba.org/src/docs/api/index.html_
> > 	> Here's an excerpt from my web.xml:
> > 	>
> > 	> *    <filter>*
> > 	> *        <filter-name>NTLM HTTP Authentication Filter</filter-name>*
> > 	> *        <filter-class>jcifs.http.NtlmHttpFilter </filter-class>*
> > 	> *        <!--init-param>*
> > 	> *            <param-name>jcifs.http.domainController</param-name>*
> > 	> *            <param-value>10.10.10.10 </param-value>*
> > 	> *        </init-param-->*
> > 	> *        <init-param>*
> > 	> *            <param-name>jcifs.netbios.lookupRespLimit</param-name>*
> > 	> *            <param-value>1</param-value>*
> > 	> *        </init-param>*
> > 	> *        <init-param>*
> > 	> *            <param-name>jcifs.util.loglevel</param-name>*
> > 	> *            <param-value>4</param-value>*
> > 	> *        </init-param>*
> > 	> *        <init-param>*
> > 	> *            <param-name>jcifs.encoding</param-name>*
> > 	> *            <param-value>cp1252</param-value>*
> > 	> *        </init-param>*
> > 	> *          <init-param>*
> > 	> *            <param-name>jcifs.smb.client.domain</param-name>*
> > 	> *            <param-value>mydomain</param-value>*
> > 	> *        </init-param>*
> > 	> *                <!-- optional parameters, uncomment as required -->*
> > 	> *                <!-- if WINS is used, this parameter should be used
> > 	> instead of the jcfis.http.domainController parameter above -->*
> > 	>
> > 	> *                <init-param>*
> > 	> *            <param-name>jcifs.netbios.wins</param-name>*
> > 	> *            <param-value>10.10.10.11</param-value>*
> > 	> *        </init-param> *
> > 	> *                <!-- try the following with value 1 through to 3 if
> > 	> you are getting the JCIFS authentication dialog box popping up when
> > 	> you try to access Reporter -->*
> > 	>
> > 	> *                <init-param>*
> > 	> *            <param-name>jcifs.smb.lmCompatibility</param-name>*
> > 	> *            <param-value>0</param-value>*
> > 	> *        </init-param> *
> > 	> *                <!-- as an extreme last ditch effort, try to
> > 	> authenticate by a shared folder on the server, if you are installing
> > 	> on the same server as Hydra Manager you can try the Hydra folder -->*
> > 	>
> > 	> *                <!-- <init-param>*
> > 	> *            <param-name>jcifs.smb.client.logonShare</param-name>*
> > 	> *            <param-value>*name of shared directory*</param-value>*
> > 	> *        </init-param> -->*
> > 	>
> > 	> I see this in the stdout.log:
> > 	>
> > 	> *NtlmHttpFilter: domainname\username: 0xC0000022:
> > 	> jcifs.smb.SmbAuthException: Access is denied.*
> > 	> * java.net.SocketException: Connection reset*
> > 	> *        at java.net.SocketInputStream.read(Unknown Source)*
> > 	> *        at jcifs.util.transport.Transport.readn(Transport.java:29)*
> > 	> *        at jcifs.smb.SmbTransport.peekKey (SmbTransport.java:317)*
> > 	> *        at jcifs.util.transport.Transport.loop(Transport.java:89)*
> > 	> *        at jcifs.util.transport.Transport.run(Transport.java:229)*
> > 	> *        at java.lang.Thread.run(Unknown Source)*
> > 	> *New data read: Transport1[domainname<1C>/10.1.1.104:0]*
> > 	> *00000: FF 53 4D 42 72 00 00 00 00 98 03 C0 00 00 00 00
> > 	> |ÿSMBr......À....|*
> > 	> *00010: 00 00 00 00 00 00 00 00 00 00 27 04 00 00 0A 00
> > 	> |..........'.....|*
> > 	>
> > 	> *byteCount=42 but readBytesWireFormat returned 20*
> > 	> *Default credentials (jcifs.smb.client.username/password) not
> > 	> specified. SMB signing may not work properly.  Skipping DC
> interrogation.*
> > 	>
> > 	> *treeConnect: unc=\\domainname$,service=?????*
> > 	> *sessionSetup: accountName=username,primaryDomain=doaminname*
> > 	> *New data read: Transport1[domainname<1C>/10.1.1.104:0]*
> > 	> *00000: FF 53 4D 42 73 00 00 00 00 98 07 C0 00 00 9D 76
> > 	> |ÿSMBs......À...v|*
> > 	> *00010: AE 42 14 A0 37 2B 00 00 07 B0 27 04 03 E0 0B 00
> > 	> |(r)B. 7+...°'..à..|*
> > 	>
> > 	> "Access is denied" message would seem to point to incorrect
> > 	> credentials, but I know the credentials are correct because the user
> > 	> can log in when no other users are logged in.  The problem only occurs
> > 	> when multiple users try to connect to the web application.
> > 	>
> > 	> I also tried setting up 'preauthentication' using the appropriate
> > 	> entries in the web.xml, but that didn't work either.  I tried changing
> > 	> web.xml so that multiple domain controllers are used.  I tried editing
> > 	> so that wins is not used.
> > 	>
> > 	> I did a packet capture on the failed session, and I see this repeat
> > 	> over and over:
> > 	> *HTTP/1.1 401 Unauthorized WWW-Authenticate: NTLM Content-Length: 0
> > 	> Date: Wed, 11 Jul 2007 21:38:46 GMT Server: Apache-Coyote/1.1*
> > 	>
> > 	> Any ideas? Any help would be very appreciated
> > 	>
> > 	>
> > 	> *Beth*
> > 	>
> > 	>
> > 	
> > 	-------------- next part --------------
> > 	A non-text attachment was scrubbed...
> > 	Name: signing.png
> > 	Type: image/png
> > 	Size: 16715 bytes
> > 	Desc: not available
> > 	Url :
> http://lists.samba.org/archive/jcifs/attachments/20070712/4b2d8616/signing.png
> > 	
> > 	------------------------------
> > 	
> > 	_______________________________________________
> > 	jcifs mailing list
> > 	jcifs at lists.samba.org
> > 	https://lists.samba.org/mailman/listinfo/jcifs
> > 	
> > 	
> > 	End of jcifs Digest, Vol 55, Issue 6
> > 	************************************
> > 	
> > 	
> >
> >
> >
>
>
> --
> Michael B Allen
> PHP Active Directory Kerberos SSO
> http://www.ioplex.com/
>




More information about the jcifs mailing list