[jcifs] Too many authentication for the same user in a valid
session
Michael B Allen
mba2000 at ioplex.com
Sat May 12 02:20:34 GMT 2007
At the end of this document is a description of the NTLM HTTP
authentication protocol:
http://jcifs.samba.org/src/docs/ntlmhttpauth.html#proto
This explains that the password hashes computed by the client are specific
to the challenge returned by the domain controller.
So, for example, let's say your load balancing between two web servers
W1 and W2. The initial HTTP request is serviced by W1 which returns a
challenge. The client computes the password hashes but then submits them
to W2. The challenge used on W2 is not correct for the password hashes
which results in an authentication failure. If this happens three times
the account may be locked out.
This is not necessary what is happening in your case but it is almost
certainly something like it.
Make sure keep-alives are enabled and if you're using a cluster or load
balancing you must do something to ensure that clients use the same
server for the entire session.
Another thing you might do is familiarize yourself with Wireshark or that
popular HTTP analysis tool (can't remember the name of it). You can use
that to verify that the behavior is consistent with what is outlined in
the protocol documents cited above.
Mike
On Mon, 7 May 2007 17:24:34 -0300
"Marcio Lima" <marcio.lima at dataeasy.com.br> wrote:
> Hello
>
> I have a web application that make use of JCIFS, and looking in the log file i realized that the users are authenticated more than once. That users was Previously authenticated by jcifs. The re-authentication occur when the user open or reload some JSP's or execute some servlet. Sometimes the authentication occur three or four times in the same second for the same user.
>
> I thought the authentication occur just once for valid session and the filter does`t authenticated again a user previously authenticated.
>
> Is this a normal situation?
>
> I`m using apache/tomcat, JDK 1.4.10, Struts, JCIFS 1.2.13
>
> Thank you.
>
--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/
More information about the jcifs
mailing list