[jcifs] Problem with auto ntlm authentication

Jay Kraly jaykraly at gmail.com
Fri Mar 14 15:38:14 GMT 2008 

I don't have an actual patch, but what I did was add the following line to
the Type2Message.java file as line # 248.  This is based on the JCIFS
1.2.18source tree.


            flags ^= NTLMSSP_NEGOTIATE_NTLM2;

Disclaimer : I don't know why it works, what it breaks, or any other
ramifications of this change.  I do know that it caused my IE to
successfully authenticate where it previously failed.  Also, just for
completeness, the other change that allowed IE to authenticate was changing
the ntlmminclientsec registry key from 0x20080030 to set to 0x20000030.  I
undid this registry change prior to testing the above code change of course.

2008/3/14 Asaf Mesika <asaf.mesika at gmail.com>:

> Do tell...
>
> Thanks!
>
> Asaf
>
> 2008/3/13 Jay Kraly <jaykraly at gmail.com>:
>
> I had to modify the code and re-compile to force it to include the NTLMv2
> > flag in the challenge response.  This seemed to trick the browser into
> > thinking it was a full NTLMv2 response, but I wouldn't recommend it for
> > production.  I don't have a patch or anything but I can tell you the line
> > number and line that I added if you are interested.
> >
> > 2008/3/13 Asaf Mesika <asaf.mesika at gmail.com>:
> >
> > How did you force it? Can you please give the details?
> > > Apparently, we're encountered this exact problem today in an
> > > organization we're deploying our product at.
> > >
> > > Asaf
> > >
> > >
> > >
> > > 2008/3/12 Jay Kraly <jaykraly at gmail.com>:
> > >
> > > > Follow-up #2.  I found that forcing NTLMSSP_NEGOTIATE_NTLM2 in the
> > > > CHALLENGE response fixes this problem for me.  Though I have to admit I
> > > > don't yet understand the consequences so probably won't be able to use this
> > > > in my production environment.
> > > >
> > > > This is the post that has gotten me this far...
> > > >
> > > > http://lists.samba.org/archive/jcifs/2007-January/006963.html
> > > >
> > > >  2008/3/12 Jay Kraly <jaykraly at gmail.com>:
> > > >
> > > > BTW - I figured out the problem.  It appears that my organization
> > > > > requires ntlm2 via the ntlmminclientsec registry key set to 0x20080030.  I
> > > > > removed the 8 and everything works fine from both browsers.  Guess I should
> > > > > have checked this first :)
> > > > >
> > > > > Are there any plans (hacks?) to support NTLM2 or do I have to look
> > > > > for a new solution?
> > > > >
> > > > > 2008/3/11 Jay Kraly <jaykraly at gmail.com>:
> > > > >
> > > > > Please let me know if I can give you this information in a
> > > > > > different format, but here is what I see in WireShark :
> > > > > >
> > > > > > 1)  GET /timesheets/index.action HTTP/1.1
> > > > > > 2)  HTTP/1.1 401 Unauthorized
> > > > > > 3)  GET /timesheets/index.action HTTP/1.1, NTLMSSP_NEGOTIATE
> > > > > > 4)  HTTP/1.1 401 Unauthorized, NTLMSSP_CHALLENGE
> > > > > >
> > > > > > This is where it stops and firefox just goes blank.  IE stops
> > > > > > here as well but displays an error page.  Headers and negotation steps are
> > > > > > the same though.  As far as the detailed HTTP headers I see the following
> > > > > > associated with the numbered steps above:
> > > > > >
> > > > > > 2)  WWW-Authenticate: NTLM
> > > > > > 3)  Authorization: NTLM
> > > > > > TlRMTVNTUAMBAAAAB7IIogMOAwAyAADACgAKACgAIAAFAFgKAAIAD0xBCE1LUkFDWUpOSUg=
> > > > > > 4)  WWW-Authenticate: NTLM
> > > > > > TlRMTVNTUAACAAAABgAGMDAAAAAFOoEADxnXuIsuA5IAIAAAAAAAAF4ALgA2AIAATEBJAEgAAgAGAE4ASQBIAAEADABKAEMASQBGAFMANgAzAF8AMQAwADEAXwBDADgAAAAAAA==
> > > > > >
> > > > > > Thanks for any help you can give me.  Also, it is worth
> > > > > > re-pointing out that if I remove the server from my list of trusted sites so
> > > > > > that I login through the popup everything authenticates successfully.
> > > > > >
> > > > > > -J
> > > > > >
> > > > > > 2008/3/11 Asaf Mesika <asaf.mesika at gmail.com>:
> > > > > >
> > > > > > Can you please list down the negotiation steps and the exact
> > > > > > > point it has stopped?
> > > > > > > You can use WireShark to see the content of the HTTP headers.
> > > > > > > Mainly imporant are the following headers:
> > > > > > > www-authenticate
> > > > > > > www-authorize
> > > > > > >
> > > > > > > We'll start with that until we'll get to the root of the
> > > > > > > problem.
> > > > > > >
> > > > > > > Asaf
> > > > > > >
> > > > > > >
> > > > > > > 2008/3/8 Jay Kraly <jaykraly at gmail.com>:
> > > > > > >
> > > > > > > I have a jboss 4.2.2 server using jcifs_1.2.18 with
> > > > > > > > jdk1.6.0_03.  The domain controller is win 2003.  When I hit
> > > > > > > > a protected page in IE7 I see some negotation with the server and then the
> > > > > > > > debug output just stops and IE displays a "Internet Explorer cannot display
> > > > > > > > the webpage" error.  Thinking it was an IE7 problem I tried with Firefox,
> > > > > > > > and was able to login successfully using a basic authentication popup.  Next
> > > > > > > > I tried switching firefox to allow automatic authentication to the site, and
> > > > > > > > it now also stops at the same place as IE7.
> > > > > > > >
> > > > > > > > How can I fix this problem?  I have seen other similar posts
> > > > > > > > in the archive, but none with an answer.  Thanks in advance.  Sample config
> > > > > > > > file and output is below.
> > > > > > > >
> > > > > > > > -J
> > > > > > > >
> > > > > > > > <filter>
> > > > > > > >         <filter-name>NTLM HTTP Authentication
> > > > > > > > Filter</filter-name>
> > > > > > > >         <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
> > > > > > > >
> > > > > > > >
> > > > > > > >         <init-param>
> > > > > > > >             <param-name>jcifs.http.domainController</param-name>
> > > > > > > >
> > > > > > > >             <param-value>BLAH</param-value>
> > > > > > > >         </init-param>
> > > > > > > >
> > > > > > > >         <init-param>
> > > > > > > >             <param-name>jcifs.netbios.hostname</param-name>
> > > > > > > >             <param-value>BLAH</param-value>
> > > > > > > >         </init-param>
> > > > > > > >
> > > > > > > >         <init-param>
> > > > > > > >                 <param-name>jcifs.smb.client.domain
> > > > > > > > </param-name>
> > > > > > > >             <param-value>BLAH</param-value>
> > > > > > > >         </init-param>
> > > > > > > >
> > > > > > > >         <init-param>
> > > > > > > >             <param-name>jcifs.util.loglevel</param-name>
> > > > > > > >             <param-value>8</param-value>
> > > > > > > >         </init-param>
> > > > > > > >     </filter>
> > > > > > > >
> > > > > > > >
> > > > > > > > 18:44:12,607 ERROR [STDERR] session established ok with
> > > > > > > > BLAH<00>/156.40.41
> > > > > > > > .206
> > > > > > > > 18:44:12,607 ERROR [STDERR]
> > > > > > > > SmbComNegotiate[command=SMB_COM_NEGOTIATE,received=f
> > > > > > > >
> > > > > > > > alse,errorCode=0,flags=0x0018,flags2=0xC003,signSeq=0,tid=0,pid=11880,uid=0,mid=
> > > > > > > > 4,wordCount=0,byteCount=12,wordCount=0,dialects=NT LM 0.12]
> > > > > > > > 18:44:12,607 ERROR [STDERR] 00000: FF 53 4D 42 72 00 00 00
> > > > > > > > 00 18 03 C0 00 00 00
> > > > > > > > 00  | SMBr......└....|
> > > > > > > > 00010: 00 00 00 00 00 00 00 00 00 00 68 2E 00 00 04 00
> > > > > > > > |..........h.....|
> > > > > > > > 00020: 00 0C 00 02 4E 54 20 4C 4D 20 30 2E 31 32 00
> > > > > > > > |....NT LM 0.12. |
> > > > > > > > 18:44:12,607 ERROR [STDERR] New data read:
> > > > > > > > Transport1[BLAH<00>/BLAH:139]
> > > > > > > > 18:44:12,623 ERROR [STDERR] 00000: FF 53 4D 42 72 00 00 00
> > > > > > > > 00 98 03 C0 00 00 00
> > > > > > > > 00  | SMBr......└....|
> > > > > > > > 00010: 00 00 00 00 00 00 00 00 00 00 68 2E 00 00 04 00
> > > > > > > > |..........h.....|
> > > > > > > > 18:44:12,623 ERROR [STDERR] byteCount=38 but
> > > > > > > > readBytesWireFormat returned 14
> > > > > > > > 18:44:12,623 ERROR [STDERR]
> > > > > > > > SmbComNegotiateResponse[command=SMB_COM_NEGOTIATE,re
> > > > > > > >
> > > > > > > > ceived=false,errorCode=0,flags=0x0098,flags2=0xC003,signSeq=0,tid=0,pid=11880,ui
> > > > > > > >
> > > > > > > > d=0,mid=4,wordCount=17,byteCount=38,wordCount=17,dialectIndex=0,securityMode=0x7
> > > > > > > >
> > > > > > > > ,security=user,encryptedPasswords=true,maxMpxCount=10,maxNumberVcs=1,maxBufferSi
> > > > > > > >
> > > > > > > > ze=4356,maxRawSize=65536,sessionKey=0x00000000,capabilities=0x0000E3FD,serverTim
> > > > > > > > e=Fri Mar 07 18:44:12 EST
> > > > > > > > 2008,serverTimeZone=300,encryptionKeyLength=8,byteCoun
> > > > > > > > t=38,encryptionKey=0xC18EE8D8F33FEEF9,oemDomainName=BLAH]
> > > > > > > > 18:44:12,623 ERROR [STDERR] 00000: FF 53 4D 42 72 00 00 00
> > > > > > > > 00 98 03 C0 00 00 00
> > > > > > > > 00  | SMBr......└....|
> > > > > > > > 00010: 00 00 00 00 00 00 00 00 00 00 68 2E 00 00 04 00
> > > > > > > > |..........h.....|
> > > > > > > > 00020: 11 00 00 07 0A 00 01 00 04 11 00 00 00 00 01
> > > > > > > > |............... |
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
-------------- next part --------------

3j?Zr???
???y??v?????

More information about the jcifs mailing list