[jcifs] Need help with failed logins

André Warnier aw at ice-sa.com
Thu Apr 9 23:28:53 GMT 2009


Hi.

I'm just a user, not a guru. I just want to give you a number of things 
to check.

First, from your description you have stations that work, and others 
that don't.  So the problem is likely to be at the station level, not at 
the server level.  Also,if on one station FF works, but not IE, then the 
problem is in some setting at the IE level.

 From your description below (that the server never receives the Type 3 
message), my guess is that IE on the workstation currently only accepts
NTLMv2.  So it does not accept the Type 2 message from the server, and 
pops up the login dialog. See (1) below.

A good add-on to IE, to be able to check exactly what HTTP headers are 
being exchanged with the server, is Fiddler.  Search it on Google.
It offers similar capabilities as LiveHttpHeaders or HttpFox for FF.

In addition :

1) the Samba JCIFS NTLM HTTP filter can do only NTLMv1 authentication. 
It does not work with NTLMv2, and never will. If you need NTLMv2, go here :
http://www.ioplex.com.
I also use the Jespa filter, and it works with NTLMv1 /and/ NTLMv2.
It is free for up to 25 users, and not very expensive if you need more.

The above is important because, by default, IE on Vista is set up for 
NTLMv2.  So if the stations where it is not working are Vista, that is 
probably your problem.
I don't know how to set Vista to allow NTLMv1, you need to ask someone else.


2) If all the stations, including the ones that do not work, are in the 
same LAN and Domain, then this does not apply to you.

In order for IE to do NTLM authentication, it must "trust" the server.
If the station is not in the same domain as the server, you need to add 
the server to the "trusted sites".
(Firefox security settings are different, that is why it may work with 
FF and not with IE).

3) IE must be set to allow NTLM authentication. There is a setting 
somewhere in the IE options for "allow Integrated Windows 
Authentication". It must be checked.

4) for the "Basic Authentication" to work, not only IE but also the 
Domain Controller must be set to allow it.  Usually this is not the case.
In general, with JCIFS, if IE shows the Basic Login popup dialog, that 
means that NTLM has failed already.  Once you get to that point, there 
is nothing you can do anymore.  Basically, if you see the IE popup 
dialog, consider it as the end.

5) There are some Registry settings that can play a role.  They are 
mentioned in the on-line documentation somewhere.  Do not change them 
unless you really need to, and only then to make them the same as some 
other station that works.
These settings concern the "level" of Windows authentication that the 
station will accept.  Make sure they are the same as the stations that work.

6) when changing the settings at the Java server side, I have found that 
sometimes you need to wait a while before they take effect.  There is 
some buffering/caching going on, that only goes away after for example 
10 minutes.  Even if you restart Tomcat completely.


Hope that helps.




MStreck wrote:
> Hello All,
> 
> We are using the filter in production and have a couple of situations where
> people cannot login ... for everyone else it is working great. I am not sure
> how to debug this and need some guidance.
> 
> I re-read the docs and
> http://jcifs.samba.org/src/docs/ntlmhttpauth.html#transparent implies that
> if something isn't setup correctly with IE or using Linux or MacOS would
> give the login box and they would be able to login. If I use Firefox, this
> is exactly what happens. So, I expected the same from non-MS OSs.
> 
> The first situation is someone cannot login from MacOS. I also tried Linux
> with Konquerer and that also fails. What happens is that it just has a blank
> window and the browser says that it is waiting for a reply. I turned the
> jcifs logging to 10 and there is no output. I also turned on insecureBasic
> to see if that would work and it's exactly the same as before.(Yes, I
> restarted JBoss after I deployed the change.)
> 
> The second situation is that IE fails to login. This is limited to about 5
> machines and if they use Firefox, they can login. I also turned the logging
> to 10 and the communication from the browser stopped after the second
> request/response and just never sent the request for step 3 in the
> negotiation. It then displays the IE error page.
> We tried to set the DisableNTLMPreAuth describes in the FAQ and that didn't
> work. We haven't tried adding the website to the local intranet trusted
> sites ... but I don't have that in my IE and mine works.
> 
> So, I am not sure what to do to debug these problems. Here is my config :
> jcifs 1.3.8
> Authenticating against a Win2k3 server
> <filter>
>   <filter-name>NtlmHttpFilter</filter-name>
>   <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
>   
>   <init-param>
>    <param-name>jcifs.http.domainController</param-name>
>    <param-value>OMITTED</param-value>
>   </init-param>
>   <init-param>
>    <param-name>jcifs.http.controllerTimeout</param-name>
>    <param-value>20</param-value>
>   </init-param>
>   <init-param>
>    <param-name>jcifs.util.loglevel</param-name>
>    <param-value>10</param-value>
>   </init-param>
>   <!--
>    		always needed for preauthentication / SMB signatures
>    	-->
>   <init-param>
>    <param-name>jcifs.smb.client.domain</param-name>
>    <param-value>MYDOMAIN</param-value>
>   </init-param>
>     <init-param>
>         <param-name>jcifs.smb.client.username</param-name>
>         <param-value>someuser</param-value>
>     </init-param>
>     <init-param>
>         <param-name>jcifs.smb.client.password</param-name>
>         <param-value>somepassword</param-value>
>     </init-param>
>  </filter>
> 
> Any help would be greatly appreciated. TIA



More information about the jcifs mailing list