[jcifs] Problem with auto ntlm authentication
Asaf Mesika
asaf.mesika at gmail.com
Sun Mar 16 08:48:36 GMT 2008
Well, I did the same patch as you did, but just a little bit different:
type2.setFlag(NTLMSSP_NEGOTIATE_NTLM2,true); // Turn on
NTLMv2 flag
In NtlmSsp.java
It has the same effect has your patch, which is: turning on the NTLM v2
flag.
The problem is that I can't change the registry like you did, since its
inherent in the organization we're installing our product.
The patch made IE send the type-3 message, but the it fails on
authentication in the Active Directory. I guess because* jCIFS doesn't
support NTLMv2.
*I'll have to think of something quick!
2008/3/14 Jay Kraly <jaykraly at gmail.com>:
> I don't have an actual patch, but what I did was add the following line to
> the Type2Message.java file as line # 248. This is based on the JCIFS
> 1.2.18 source tree.
>
>
> flags ^= NTLMSSP_NEGOTIATE_NTLM2;
>
> Disclaimer : I don't know why it works, what it breaks, or any other
> ramifications of this change. I do know that it caused my IE to
> successfully authenticate where it previously failed. Also, just for
> completeness, the other change that allowed IE to authenticate was changing
> the ntlmminclientsec registry key from 0x20080030 to set to 0x20000030. I
> undid this registry change prior to testing the above code change of course.
>
> 2008/3/14 Asaf Mesika <asaf.mesika at gmail.com>:
>
> Do tell...
> >
> > Thanks!
> >
> > Asaf
> >
> > 2008/3/13 Jay Kraly <jaykraly at gmail.com>:
> >
> > I had to modify the code and re-compile to force it to include the
> > > NTLMv2 flag in the challenge response. This seemed to trick the browser
> > > into thinking it was a full NTLMv2 response, but I wouldn't recommend it for
> > > production. I don't have a patch or anything but I can tell you the line
> > > number and line that I added if you are interested.
> > >
> > > 2008/3/13 Asaf Mesika <asaf.mesika at gmail.com>:
> > >
> > > How did you force it? Can you please give the details?
> > > > Apparently, we're encountered this exact problem today in an
> > > > organization we're deploying our product at.
> > > >
> > > > Asaf
> > > >
> > > >
> > > >
> > > > 2008/3/12 Jay Kraly <jaykraly at gmail.com>:
> > > >
> > > > > Follow-up #2. I found that forcing NTLMSSP_NEGOTIATE_NTLM2 in the
> > > > > CHALLENGE response fixes this problem for me. Though I have to admit I
> > > > > don't yet understand the consequences so probably won't be able to use this
> > > > > in my production environment.
> > > > >
> > > > > This is the post that has gotten me this far...
> > > > >
> > > > > http://lists.samba.org/archive/jcifs/2007-January/006963.html
> > > > >
> > > > > 2008/3/12 Jay Kraly <jaykraly at gmail.com>:
> > > > >
> > > > > BTW - I figured out the problem. It appears that my organization
> > > > > > requires ntlm2 via the ntlmminclientsec registry key set to 0x20080030. I
> > > > > > removed the 8 and everything works fine from both browsers. Guess I should
> > > > > > have checked this first :)
> > > > > >
> > > > > > Are there any plans (hacks?) to support NTLM2 or do I have to
> > > > > > look for a new solution?
> > > > > >
> > > > > > 2008/3/11 Jay Kraly <jaykraly at gmail.com>:
> > > > > >
> > > > > > Please let me know if I can give you this information in a
> > > > > > > different format, but here is what I see in WireShark :
> > > > > > >
> > > > > > > 1) GET /timesheets/index.action HTTP/1.1
> > > > > > > 2) HTTP/1.1 401 Unauthorized
> > > > > > > 3) GET /timesheets/index.action HTTP/1.1, NTLMSSP_NEGOTIATE
> > > > > > > 4) HTTP/1.1 401 Unauthorized, NTLMSSP_CHALLENGE
> > > > > > >
> > > > > > > This is where it stops and firefox just goes blank. IE stops
> > > > > > > here as well but displays an error page. Headers and negotation steps are
> > > > > > > the same though. As far as the detailed HTTP headers I see the following
> > > > > > > associated with the numbered steps above:
> > > > > > >
> > > > > > > 2) WWW-Authenticate: NTLM
> > > > > > > 3) Authorization: NTLM
> > > > > > > TlRMTVNTUAMBAAAAB7IIogMOAwAyAADACgAKACgAIAAFAFgKAAIAD0xBCE1LUkFDWUpOSUg=
> > > > > > > 4) WWW-Authenticate: NTLM
> > > > > > > TlRMTVNTUAACAAAABgAGMDAAAAAFOoEADxnXuIsuA5IAIAAAAAAAAF4ALgA2AIAATEBJAEgAAgAGAE4ASQBIAAEADABKAEMASQBGAFMANgAzAF8AMQAwADEAXwBDADgAAAAAAA==
> > > > > > >
> > > > > > > Thanks for any help you can give me. Also, it is worth
> > > > > > > re-pointing out that if I remove the server from my list of trusted sites so
> > > > > > > that I login through the popup everything authenticates successfully.
> > > > > > >
> > > > > > > -J
> > > > > > >
> > > > > > > 2008/3/11 Asaf Mesika <asaf.mesika at gmail.com>:
> > > > > > >
> > > > > > > Can you please list down the negotiation steps and the exact
> > > > > > > > point it has stopped?
> > > > > > > > You can use WireShark to see the content of the HTTP
> > > > > > > > headers. Mainly imporant are the following headers:
> > > > > > > > www-authenticate
> > > > > > > > www-authorize
> > > > > > > >
> > > > > > > > We'll start with that until we'll get to the root of the
> > > > > > > > problem.
> > > > > > > >
> > > > > > > > Asaf
> > > > > > > >
> > > > > > > >
> > > > > > > > 2008/3/8 Jay Kraly <jaykraly at gmail.com>:
> > > > > > > >
> > > > > > > > I have a jboss 4.2.2 server using jcifs_1.2.18 with
> > > > > > > > > jdk1.6.0_03. The domain controller is win 2003. When I
> > > > > > > > > hit a protected page in IE7 I see some negotation with the server and then
> > > > > > > > > the debug output just stops and IE displays a "Internet Explorer cannot
> > > > > > > > > display the webpage" error. Thinking it was an IE7 problem I tried with
> > > > > > > > > Firefox, and was able to login successfully using a basic authentication
> > > > > > > > > popup. Next I tried switching firefox to allow automatic authentication to
> > > > > > > > > the site, and it now also stops at the same place as IE7.
> > > > > > > > >
> > > > > > > > > How can I fix this problem? I have seen other similar
> > > > > > > > > posts in the archive, but none with an answer. Thanks in advance. Sample
> > > > > > > > > config file and output is below.
> > > > > > > > >
> > > > > > > > > -J
> > > > > > > > >
> > > > > > > > > <filter>
> > > > > > > > > <filter-name>NTLM HTTP Authentication
> > > > > > > > > Filter</filter-name>
> > > > > > > > > <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > <init-param>
> > > > > > > > > <param-name>jcifs.http.domainController</param-name>
> > > > > > > > >
> > > > > > > > > <param-value>BLAH</param-value>
> > > > > > > > > </init-param>
> > > > > > > > >
> > > > > > > > > <init-param>
> > > > > > > > > <param-name>jcifs.netbios.hostname</param-name>
> > > > > > > > >
> > > > > > > > > <param-value>BLAH</param-value>
> > > > > > > > > </init-param>
> > > > > > > > >
> > > > > > > > > <init-param>
> > > > > > > > > <param-name>jcifs.smb.client.domain
> > > > > > > > > </param-name>
> > > > > > > > > <param-value>BLAH</param-value>
> > > > > > > > > </init-param>
> > > > > > > > >
> > > > > > > > > <init-param>
> > > > > > > > > <param-name>jcifs.util.loglevel</param-name>
> > > > > > > > > <param-value>8</param-value>
> > > > > > > > > </init-param>
> > > > > > > > > </filter>
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > 18:44:12,607 ERROR [STDERR] session established ok with
> > > > > > > > > BLAH<00>/156.40.41
> > > > > > > > > .206
> > > > > > > > > 18:44:12,607 ERROR [STDERR]
> > > > > > > > > SmbComNegotiate[command=SMB_COM_NEGOTIATE,received=f
> > > > > > > > >
> > > > > > > > > alse,errorCode=0,flags=0x0018,flags2=0xC003,signSeq=0,tid=0,pid=11880,uid=0,mid=
> > > > > > > > > 4,wordCount=0,byteCount=12,wordCount=0,dialects=NT LM 0.12
> > > > > > > > > ]
> > > > > > > > > 18:44:12,607 ERROR [STDERR] 00000: FF 53 4D 42 72 00 00 00
> > > > > > > > > 00 18 03 C0 00 00 00
> > > > > > > > > 00 | SMBr......└....|
> > > > > > > > > 00010: 00 00 00 00 00 00 00 00 00 00 68 2E 00 00 04 00
> > > > > > > > > |..........h.....|
> > > > > > > > > 00020: 00 0C 00 02 4E 54 20 4C 4D 20 30 2E 31 32 00
> > > > > > > > > |....NT LM 0.12. |
> > > > > > > > > 18:44:12,607 ERROR [STDERR] New data read:
> > > > > > > > > Transport1[BLAH<00>/BLAH:139]
> > > > > > > > > 18:44:12,623 ERROR [STDERR] 00000: FF 53 4D 42 72 00 00 00
> > > > > > > > > 00 98 03 C0 00 00 00
> > > > > > > > > 00 | SMBr......└....|
> > > > > > > > > 00010: 00 00 00 00 00 00 00 00 00 00 68 2E 00 00 04 00
> > > > > > > > > |..........h.....|
> > > > > > > > > 18:44:12,623 ERROR [STDERR] byteCount=38 but
> > > > > > > > > readBytesWireFormat returned 14
> > > > > > > > > 18:44:12,623 ERROR [STDERR]
> > > > > > > > > SmbComNegotiateResponse[command=SMB_COM_NEGOTIATE,re
> > > > > > > > >
> > > > > > > > > ceived=false,errorCode=0,flags=0x0098,flags2=0xC003,signSeq=0,tid=0,pid=11880,ui
> > > > > > > > >
> > > > > > > > > d=0,mid=4,wordCount=17,byteCount=38,wordCount=17,dialectIndex=0,securityMode=0x7
> > > > > > > > >
> > > > > > > > > ,security=user,encryptedPasswords=true,maxMpxCount=10,maxNumberVcs=1,maxBufferSi
> > > > > > > > >
> > > > > > > > > ze=4356,maxRawSize=65536,sessionKey=0x00000000,capabilities=0x0000E3FD,serverTim
> > > > > > > > > e=Fri Mar 07 18:44:12 EST
> > > > > > > > > 2008,serverTimeZone=300,encryptionKeyLength=8,byteCoun
> > > > > > > > > t=38,encryptionKey=0xC18EE8D8F33FEEF9,oemDomainName=BLAH]
> > > > > > > > > 18:44:12,623 ERROR [STDERR] 00000: FF 53 4D 42 72 00 00 00
> > > > > > > > > 00 98 03 C0 00 00 00
> > > > > > > > > 00 | SMBr......└....|
> > > > > > > > > 00010: 00 00 00 00 00 00 00 00 00 00 68 2E 00 00 04 00
> > > > > > > > > |..........h.....|
> > > > > > > > > 00020: 11 00 00 07 0A 00 01 00 04 11 00 00 00 00 01
> > > > > > > > > |............... |
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
-------------- next part --------------
3�j?Zr�???
???y??v?????
More information about the jcifs
mailing list