[jcifs] NTLM Authentication issue
Dawie Human
Dawie at inobits.com
Tue Aug 26 17:04:24 GMT 2008
I agree with your statement. No one should and I will increase it right now
if I can solve the riddle. I am going to try the following setup:
The only real change is the ssnLimit of 1, except from that we set everything we can.
<filter>
<filter-name>ntlm</filter-name>
<filter-class>jcifs.http.NtlmHttpFilter</filter-class>
<init-param>
<param-name>jcifs.smb.client.domainController</param-name>
<param-value>DCname</param-value>
</init-param>
<init-param>
<param-name>jcifs.smb.client.domain</param-name>
<param-value>DOMAIN</param-value>
</init-param>
<init-param>
<param-name>jcifs.netbios.wins</param-name>
<param-value>wins_ip_address</param-value>
</init-param>
<init-param>
<param-name>jcifs.netbios.hostname</param-name>
<param-value>localhostname</param-value>
</init-param>
<init-param>
<param-name>jcifs.smb.lmCompatibility</param-name>
<param-value>2</param-value>
</init-param>
<init-param>
<param-name>jcifs.smb.client.name</param-name>
<param-value>username</param-value>
</init-param>
<init-param>
<param-name>jcifs.smb.client.password</param-name>
<param-value>password</param-value>
</init-param>
<init-param>
<param-name>jcifs.smb.client.ssnLimit</param-name>
<param-value>1</param-value>
</init-param>
<init-param>
<!--
<param-name>jcifs.smb.client.soTimeout</param-name>
<param-value>15000</param-value>
</init-param>
-->
<init-param>
<param-name>jcifs.util.loglevel</param-name>
<param-value>2</param-value>
</init-param>
</filter>
-----Original Message-----
From: Michael B Allen [mailto:ioplex at gmail.com]
Sent: 26 August 2008 06:26 PM
To: Dawie Human
Cc: jcifs at lists.samba.org
Subject: Re: [jcifs] NTLM Authentication issue
No one should ever reduce the jcifs.smb.client.soTimeout value when
using the NTLM HTTP Filter.
I don't know where people got the idea of reducing soTimeout but just
in case someone reads this thread and thinks it's something they
should try I think it's important that I speak up and say clearly that
it's not something anyone should ever do. The soTimeout says "close
the transport after soTimeout milliseconds". So even though you think
you're making your SMB signing problem better (because it
reinitializes the transport for each authentication) you're not fixing
anything and in fact you're making things worse because you're greatly
increasing the chance that the transport will close in the middle of
an authentication (aka the "hiccup" bug).
Mike
On Tue, Aug 26, 2008 at 6:58 AM, David Human <Dawie at inobits.com> wrote:
>
> We have the same kind of issue here. Changing the soTimeout to very low
> values solves the problem, but I am afraid it is only masking the issue and
> not solving it. Under high loads on the server, the 500 is too much and we
> have found a stable value at soTimeout = 200. The problem with this logic
> is that soTimeout is supposed to support multiple sesstions over the same
> channel. Now you have a small value and I suspect, this will increase the
> load somewhere and when you run into high latency networking, it will cause
> logon problems.
>
> David Human
>
>
> Michael B Allen-4 wrote:
>>
>> That won't work since either the socket will close before a response
>> is recieved or under load you'll get two authentication requests within
>> 500ms.
>>
>> You must use preauthentication.
>>
>> Mike
>>
>> On Wed, 29 Nov 2006 08:55:48 -0500
>> "Anoop Prakash" <anoopatul at gmail.com> wrote:
>>
>>> Thanks Jonathan,
>>>
>>> I tried out changing the soTimeOut to 500 milliseconds abd it seems to be
>>> running fine now.
>>>
>>>
>>> On 11/28/06, Jonathan Trumbull <jonathan.trumbull at gmail.com> wrote:
>>> >
>>> > Anoop,
>>> >
>>> > You probably need to specify a set of domain credentials explicitly
>>> > for preauthentication. We usually just setup a service account just
>>> > for this.
>>> >
>>> > see http://jcifs.samba.org/src/docs/ntlmhttpauth.html#signing
>>> >
>>> > <init-param>
>>> > <param-name>jcifs.smb.client.username</param-name>
>>> > <param-value>SomeServiceAccount</param-value>
>>> > </init-param>
>>> >
>>> > <init-param>
>>> > <param-name>jcifs.smb.client.password</param-name>
>>> > <param-value>SomeServiceAccountPassword</param-value>
>>> > </init-param>
>>> >
>>> > --Jonathan
>>> >
>>> > On 11/28/06, Anoop Prakash <anoopatul at gmail.com> wrote:
>>> > >
>>> > >
>>> > > Hello Mike,
>>> > >
>>> > >
>>> > > We got your reference from the jcifs mailing list. We found out an
>>> > issue in the mailing list that is similar to the problem we are
>>> > facing while accessing our application using the JCIFS NTLM
>>> authentication.
>>> > When multiple users try accessing our application concurrently, only
>>> one of
>>> > the users will be allowed to log in. The others are shown the NTLM
>>> > authentication box again and again, even though they enter the right
>>> > credentials. The application is a struts based J2EE application and we
>>> are
>>> > using JCIFS version 1.2.8. We tried doing the instructions given in
>>> the
>>> > link - http://lists.samba.org/archive/jcifs/2006-June/006304.html .
>>> We
>>> > are using a domain controller also in this. I am pasting below a part
>>> of
>>> > the web.xml for the application.
>>> > >
>>> > >
>>> > >
>>> > > <filter>
>>> > >
>>> > > <filter-name>NtlmHttpFilter</filter-name>
>>> > >
>>> > > <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
>>> > >
>>> > >
>>> > >
>>> > > <init-param>
>>> > >
>>> > >
>>> <param-name>jcifs.http.domainController</param-name>
>>> > >
>>> > > <param-value>CORPDC3</param-value>
>>> > >
>>> > > </init-param>
>>> > >
>>> > >
>>> > >
>>> > > <init-param>
>>> > >
>>> > >
>>> <param-name>jcifs.smb.lmCompatibility</param-name>
>>> > >
>>> > > <param-value>3</param-value>
>>> > >
>>> > > </init-param>
>>> > >
>>> > > </filter>
>>> > >
>>> > >
>>> > >
>>> > > It would be great if you could let us know what could be the
>>> > issue.Please let us knowif you need any more details on this.
>>> > >
>>> > >
>>> > >
>>> > > Thanks,
>>> > >
>>> > > Anoop
>>> > >
>>> > >
>>> > >
>>> > >
>>> > >
>>> > >
>>> > >
>>> > > [jcifs] NTLM Authentication problemMike Streeton mike.streeton at
>>> > ardentia.co.uk
>>> > > Thu Jun 22 06:51:43 GMT 2006
>>> > >
>>> > >
>>> > >
>>> > > Previous message: [jcifs] NTLM Authentication problem
>>> > > Next message: [jcifs] Authenticating Against Multiple Domain
>>> > Controllers
>>> > > Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
>>> > ________________________________
>>> > We had problems with some people being able to connect but not other,
>>> > > even though they have exactly the same config (XP pro), we got round
>>> > > them by setting the following:
>>> > >
>>> > >
>>> > > Configure the JCIFS parameter jcifs.smb.lmCompatibility try setting
>>> it
>>> > > to 3, 4 or 5
>>> > >
>>> > > Configure the JCIFS parameter jcifs.netbios.hostname to be the local
>>> > > machine
>>> > >
>>> > >
>>> > >
>>> > > Set the API documentation on how to do this:
>>> > >
>>> > > http://jcifs.samba.org/src/docs/api/
>>> > >
>>> > >
>>> > >
>>> > > If this does not work post the config/error logs etc and Michael is
>>> very
>>> > >
>>> > > helpful and can usually put you right.
>>> > >
>>> > >
>>> > >
>>> > > Thanks
>>> > >
>>> > >
>>> > >
>>> > > Mike
>>> > >
>>> > >
>>> > >
>>> > > www.ardentia.com the home of NetSearch
>>> > >
>>> > > ________________________________
>>> > >
>>> > >
>>> > > From: jcifs-bounces+mike.streeton=ardentia.co.uk at lists.samba.org
>>> > >
>>> > > [mailto:jcifs-bounces+mike.streeton=
>>> > > ardentia.co.uk at lists.samba.org] On
>>> > > Behalf Of Publius Ismanescu
>>> > > Sent: 21 June 2006 21:25
>>> > > To:
>>> > > jcifs at lists.samba.org
>>> > > Subject: [jcifs] NTLM Authentication problem
>>> > >
>>> > >
>>> > >
>>> > > Hi everybody,
>>> > >
>>> > > I have a situation where the NTLM authentication fails. I will
>>> explain
>>> > > my configuration and the tests we did.
>>> > >
>>> > >
>>> > > We have a weblogic server on AIX server and we use jcifs for NTLM
>>> > > authentication. The users that access the website, they all have
>>> windows
>>> > > desktops, with IE installed.
>>> > > All user can access the website properly . The problem start when we
>>> > >
>>> > > want to let user from outsite the company connect.
>>> > >
>>> > > The external user connect to a metaframe (Citrix) and they use the IE
>>> > > browser on the metaframe server to connect to the internal website.
>>> > > The user are propted with a login dialog to enter their user ID and
>>> > >
>>> > > password. After entering the information they get a server or DNS
>>> error.
>>> > >
>>> > > After we turned the loglevel to see more info from jcifs, it looks
>>> like
>>> > > the 3-rd handshake does not take place.
>>> > >
>>> > > Installing Firefox on the metaframe server and testing the
>>> > >
>>> > > access,everything is working.
>>> > > Using IE to connect to a second metaframe server it woks also. IE
>>> > > versions on the 2 metaframes is the same.
>>> > >
>>> > >
>>> > > Can anybody help with some IE settings or give me some tips on what
>>> else
>>> > >
>>> > > to look for to solve this.
>>> > >
>>> > >
>>> > > Thank you
>>> > >
>>> > >
>>> > > --
>>> > > Publius Ismanescu
>>> > > http://publius.wwdb.biz
>>> > >
>>> > > email: publiusi at gmail.com
>>> > >
>>> > > -------------- next part --------------
>>> > >
>>> > > HTML attachment scrubbed and removed
>>> > >
>>> > > ________________________________
>>> >
>>> > >
>>> > >
>>> > >
>>> > > Previous message: [jcifs] NTLM Authentication problem
>>> > > Next message: [jcifs] Authenticating Against Multiple Domain
>>> > Controllers
>>> > > Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
>>> > ________________________________
>>> > More information about the jcifs mailing list
>>> > >
>>> > >
>>> > >
>>> >
>>>
>>
>>
>> --
>> Michael B Allen
>> PHP Active Directory SSO
>> http://www.ioplex.com/
>>
>>
>
> --
> View this message in context: http://www.nabble.com/NTLM-Authentication-issue-tp7583052p19158804.html
> Sent from the Samba - jcifs mailing list archive at Nabble.com.
>
>
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/
More information about the jcifs
mailing list