[jcifs] jcifs NtlmHttpFilter - random "Page cannot be displayed"

RicardoSanchez ricardo.sanchez at polarisworld.com
Mon Apr 28 11:12:42 GMT 2008 

Hi Mike,

I finally fixed this, and I would like to post the solution. I never
actually tried the timeout increase, since the default value is overwritten
in NtlmHttpFilter.init with 300000 milliseconds, which is high enough.

After several testing and investigation, I installed wireshark (substitute
of ethereal) and saw that the server was sending TCP RST messages to the
client, and this closed the connection. In the NTLM documentation
(http://www.innovation.ch/personal/ronald/ntlm.html), it is made clear that
the http connection has to be kept open during the authentication.

The server was closing the connection because it was too busy. It is a
tomcat 5.0, and there are two involved configuration parameters: maxThreads
and maxKeepAliveRequests. With more than "maxThreads" simultaneous
connections, the exceeding requests go to a queue. And in this situation, it
seems that tomcat doesn't keep connections open: instead, it closes the
connections as soon as they are responded to process the queued requests.
So, something like this happens:
Internet explorer sends request #1
Server sends response #1: 401 Unauthorized, WWW-Authenticate: NTLM

Internet explorer sends request #2
Server sends response #2: 401 Unauthorized WWW-Authenticate: NTLM type 2
message
Since the server has pending requests in the queue, Server closes the
connection

Internet explorer notices that the connection is closed, and instead of
sending request #3, it shows a "page cannot be displayed" message.

The problem was easy to recreate in the test server, with a low value for
maxThreads (3, for example).

The solution, thus, is just an upper value for maxThreads, that needs a
proportional maxKeepAliveRequests value.

And finally, this means that we can't have any requests in the queue or the
authentication problems will appear. This is an obvious scalability problem,
that either jcifs or tomcat should address, to make sure that ntlm
connections are not closed during authentication.

Regards,
Ricardo
-- 
View this message in context: http://www.nabble.com/jcifs-NtlmHttpFilter---random-%22Page-cannot-be-displayed%22-tp16491018p16936671.html
Sent from the Samba - jcifs mailing list archive at Nabble.com.

More information about the jcifs mailing list