[jcifs] NTLM Authentication issue
David Human
Dawie at inobits.com
Tue Aug 26 15:40:25 GMT 2008
The idea comes from:
1. You know SMB signing is causing this issue and the the next step is to
provide the domain, username and password required for pre-authentication.
No sweat.
2. You restart the server and low and behold, the problem doesn't go away.
3. You Google the lot even more and loacte all the parameters for the
NtlmHttpFilter
4. Logic says that soTimout should be longer, but why not - make it smaller
5. Problem goes away, but as I said - It is masked and becomes a timebomb
Now the hunt is on for solving the SMB config issue. One thread says, use
the Workstation, in my case the Server account, but with what password? The
domain and account part can be figured out, but password? Hence, we create
an account, but should this be a normal domain user account? Any special
permissions?
It really looks as if the account details provided are ignored, because of a
shortcoming.
David Human
Michael B Allen wrote:
>
> No one should ever reduce the jcifs.smb.client.soTimeout value when
> using the NTLM HTTP Filter.
>
> I don't know where people got the idea of reducing soTimeout but just
> in case someone reads this thread and thinks it's something they
> should try I think it's important that I speak up and say clearly that
> it's not something anyone should ever do. The soTimeout says "close
> the transport after soTimeout milliseconds". So even though you think
> you're making your SMB signing problem better (because it
> reinitializes the transport for each authentication) you're not fixing
> anything and in fact you're making things worse because you're greatly
> increasing the chance that the transport will close in the middle of
> an authentication (aka the "hiccup" bug).
>
> Mike
>
> On Tue, Aug 26, 2008 at 6:58 AM, David Human <Dawie at inobits.com> wrote:
>>
>> We have the same kind of issue here. Changing the soTimeout to very low
>> values solves the problem, but I am afraid it is only masking the issue
>> and
>> not solving it. Under high loads on the server, the 500 is too much and
>> we
>> have found a stable value at soTimeout = 200. The problem with this
>> logic
>> is that soTimeout is supposed to support multiple sesstions over the same
>> channel. Now you have a small value and I suspect, this will increase
>> the
>> load somewhere and when you run into high latency networking, it will
>> cause
>> logon problems.
>>
>> David Human
>>
>>
>> Michael B Allen-4 wrote:
>>>
>>> That won't work since either the socket will close before a response
>>> is recieved or under load you'll get two authentication requests within
>>> 500ms.
>>>
>>> You must use preauthentication.
>>>
>>> Mike
>>>
>>> On Wed, 29 Nov 2006 08:55:48 -0500
>>> "Anoop Prakash" <anoopatul at gmail.com> wrote:
>>>
>>>> Thanks Jonathan,
>>>>
>>>> I tried out changing the soTimeOut to 500 milliseconds abd it seems to
>>>> be
>>>> running fine now.
>>>>
>>>>
>>>> On 11/28/06, Jonathan Trumbull <jonathan.trumbull at gmail.com> wrote:
>>>> >
>>>> > Anoop,
>>>> >
>>>> > You probably need to specify a set of domain credentials explicitly
>>>> > for preauthentication. We usually just setup a service account just
>>>> > for this.
>>>> >
>>>> > see http://jcifs.samba.org/src/docs/ntlmhttpauth.html#signing
>>>> >
>>>> > <init-param>
>>>> > <param-name>jcifs.smb.client.username</param-name>
>>>> > <param-value>SomeServiceAccount</param-value>
>>>> > </init-param>
>>>> >
>>>> > <init-param>
>>>> > <param-name>jcifs.smb.client.password</param-name>
>>>> > <param-value>SomeServiceAccountPassword</param-value>
>>>> > </init-param>
>>>> >
>>>> > --Jonathan
>>>> >
>>>> > On 11/28/06, Anoop Prakash <anoopatul at gmail.com> wrote:
>>>> > >
>>>> > >
>>>> > > Hello Mike,
>>>> > >
>>>> > >
>>>> > > We got your reference from the jcifs mailing list. We found out
>>>> an
>>>> > issue in the mailing list that is similar to the problem we are
>>>> > facing while accessing our application using the JCIFS NTLM
>>>> authentication.
>>>> > When multiple users try accessing our application concurrently, only
>>>> one of
>>>> > the users will be allowed to log in. The others are shown the NTLM
>>>> > authentication box again and again, even though they enter the right
>>>> > credentials. The application is a struts based J2EE application and
>>>> we
>>>> are
>>>> > using JCIFS version 1.2.8. We tried doing the instructions given in
>>>> the
>>>> > link - http://lists.samba.org/archive/jcifs/2006-June/006304.html .
>>>> We
>>>> > are using a domain controller also in this. I am pasting below a part
>>>> of
>>>> > the web.xml for the application.
>>>> > >
>>>> > >
>>>> > >
>>>> > > <filter>
>>>> > >
>>>> > > <filter-name>NtlmHttpFilter</filter-name>
>>>> > >
>>>> > >
>>>> <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
>>>> > >
>>>> > >
>>>> > >
>>>> > > <init-param>
>>>> > >
>>>> > >
>>>> <param-name>jcifs.http.domainController</param-name>
>>>> > >
>>>> > > <param-value>CORPDC3</param-value>
>>>> > >
>>>> > > </init-param>
>>>> > >
>>>> > >
>>>> > >
>>>> > > <init-param>
>>>> > >
>>>> > >
>>>> <param-name>jcifs.smb.lmCompatibility</param-name>
>>>> > >
>>>> > > <param-value>3</param-value>
>>>> > >
>>>> > > </init-param>
>>>> > >
>>>> > > </filter>
>>>> > >
>>>> > >
>>>> > >
>>>> > > It would be great if you could let us know what could be the
>>>> > issue.Please let us knowif you need any more details on this.
>>>> > >
>>>> > >
>>>> > >
>>>> > > Thanks,
>>>> > >
>>>> > > Anoop
>>>> > >
>>>> > >
>>>> > >
>>>> > >
>>>> > >
>>>> > >
>>>> > >
>>>> > > [jcifs] NTLM Authentication problemMike Streeton mike.streeton at
>>>> > ardentia.co.uk
>>>> > > Thu Jun 22 06:51:43 GMT 2006
>>>> > >
>>>> > >
>>>> > >
>>>> > > Previous message: [jcifs] NTLM Authentication problem
>>>> > > Next message: [jcifs] Authenticating Against Multiple Domain
>>>> > Controllers
>>>> > > Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
>>>> > ________________________________
>>>> > We had problems with some people being able to connect but not other,
>>>> > > even though they have exactly the same config (XP pro), we got
>>>> round
>>>> > > them by setting the following:
>>>> > >
>>>> > >
>>>> > > Configure the JCIFS parameter jcifs.smb.lmCompatibility try setting
>>>> it
>>>> > > to 3, 4 or 5
>>>> > >
>>>> > > Configure the JCIFS parameter jcifs.netbios.hostname to be the
>>>> local
>>>> > > machine
>>>> > >
>>>> > >
>>>> > >
>>>> > > Set the API documentation on how to do this:
>>>> > >
>>>> > > http://jcifs.samba.org/src/docs/api/
>>>> > >
>>>> > >
>>>> > >
>>>> > > If this does not work post the config/error logs etc and Michael is
>>>> very
>>>> > >
>>>> > > helpful and can usually put you right.
>>>> > >
>>>> > >
>>>> > >
>>>> > > Thanks
>>>> > >
>>>> > >
>>>> > >
>>>> > > Mike
>>>> > >
>>>> > >
>>>> > >
>>>> > > www.ardentia.com the home of NetSearch
>>>> > >
>>>> > > ________________________________
>>>> > >
>>>> > >
>>>> > > From: jcifs-bounces+mike.streeton=ardentia.co.uk at lists.samba.org
>>>> > >
>>>> > > [mailto:jcifs-bounces+mike.streeton=
>>>> > > ardentia.co.uk at lists.samba.org] On
>>>> > > Behalf Of Publius Ismanescu
>>>> > > Sent: 21 June 2006 21:25
>>>> > > To:
>>>> > > jcifs at lists.samba.org
>>>> > > Subject: [jcifs] NTLM Authentication problem
>>>> > >
>>>> > >
>>>> > >
>>>> > > Hi everybody,
>>>> > >
>>>> > > I have a situation where the NTLM authentication fails. I will
>>>> explain
>>>> > > my configuration and the tests we did.
>>>> > >
>>>> > >
>>>> > > We have a weblogic server on AIX server and we use jcifs for NTLM
>>>> > > authentication. The users that access the website, they all have
>>>> windows
>>>> > > desktops, with IE installed.
>>>> > > All user can access the website properly . The problem start when
>>>> we
>>>> > >
>>>> > > want to let user from outsite the company connect.
>>>> > >
>>>> > > The external user connect to a metaframe (Citrix) and they use the
>>>> IE
>>>> > > browser on the metaframe server to connect to the internal website.
>>>> > > The user are propted with a login dialog to enter their user ID and
>>>> > >
>>>> > > password. After entering the information they get a server or DNS
>>>> error.
>>>> > >
>>>> > > After we turned the loglevel to see more info from jcifs, it looks
>>>> like
>>>> > > the 3-rd handshake does not take place.
>>>> > >
>>>> > > Installing Firefox on the metaframe server and testing the
>>>> > >
>>>> > > access,everything is working.
>>>> > > Using IE to connect to a second metaframe server it woks also. IE
>>>> > > versions on the 2 metaframes is the same.
>>>> > >
>>>> > >
>>>> > > Can anybody help with some IE settings or give me some tips on what
>>>> else
>>>> > >
>>>> > > to look for to solve this.
>>>> > >
>>>> > >
>>>> > > Thank you
>>>> > >
>>>> > >
>>>> > > --
>>>> > > Publius Ismanescu
>>>> > > http://publius.wwdb.biz
>>>> > >
>>>> > > email: publiusi at gmail.com
>>>> > >
>>>> > > -------------- next part --------------
>>>> > >
>>>> > > HTML attachment scrubbed and removed
>>>> > >
>>>> > > ________________________________
>>>> >
>>>> > >
>>>> > >
>>>> > >
>>>> > > Previous message: [jcifs] NTLM Authentication problem
>>>> > > Next message: [jcifs] Authenticating Against Multiple Domain
>>>> > Controllers
>>>> > > Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
>>>> > ________________________________
>>>> > More information about the jcifs mailing list
>>>> > >
>>>> > >
>>>> > >
>>>> >
>>>>
>>>
>>>
>>> --
>>> Michael B Allen
>>> PHP Active Directory SSO
>>> http://www.ioplex.com/
>>>
>>>
>>
>> --
>> View this message in context:
>> http://www.nabble.com/NTLM-Authentication-issue-tp7583052p19158804.html
>> Sent from the Samba - jcifs mailing list archive at Nabble.com.
>>
>>
>
>
>
> --
> Michael B Allen
> PHP Active Directory SPNEGO SSO
> http://www.ioplex.com/
>
>
--
View this message in context: http://www.nabble.com/NTLM-Authentication-issue-tp7583052p19164528.html
Sent from the Samba - jcifs mailing list archive at Nabble.com.
More information about the jcifs
mailing list