[jcifs] Need help with failed logins

MStreck mark.strecker at siemens.com
Fri Apr 10 20:29:29 GMT 2009 

Hello All,

Thanks for the quick replies. I will try to answer both posts here.

First, I can confirm that using Firefox on MacOS does work and Safari on my
PC also works, but I am using the 4.x beta they have 3.x ... so maybe there
is a fix? I also noticed that with the MacOS failure with Safari, I get the
unknown user error.(Which is different from the others.) The negotiation
appears to complete, but it gets the error.

I will try the browser plug-ins and WireShark to see what's happening.
Anything in particular to look for?

I too suspect that there are setup differences on the PCs I mentioned. They
are all laptops at a single site(using XPSP3), but IE on their desktops
works. We did look at the security checkbox for Enable Integrated Windows
Auth and noticed that the trusted intranet sites were different. Changing
the trusted intranet sites didn't change anything.

I will also ask one of the systems people if they are limited to NTLMv2.

Maybe I'll try Jespa too if it's pretty easy to drop in. We don't use Vista
widely yet, but it seems that this is the upgrade path. Anyone using Jespa
with Seam?

Thanks again.
I'll get back with you on Monday with more info.


AsafM wrote:
> 
> On Thu, Apr 9, 2009 at 4:52 PM, MStreck <mark.strecker at siemens.com> wrote:
> 
>>
>> Hello All,
>>
>> We are using the filter in production and have a couple of situations
>> where
>> people cannot login ... for everyone else it is working great. I am not
>> sure
>> how to debug this and need some guidance.
>>
>> I re-read the docs and
>> http://jcifs.samba.org/src/docs/ntlmhttpauth.html#transparent implies
>> that
>> if something isn't setup correctly with IE or using Linux or MacOS would
>> give the login box and they would be able to login. If I use Firefox,
>> this
>> is exactly what happens. So, I expected the same from non-MS OSs.
>>
>> The first situation is someone cannot login from MacOS. I also tried
>> Linux
>> with Konquerer and that also fails. What happens is that it just has a
>> blank
>> window and the browser says that it is waiting for a reply. I turned the
>> jcifs logging to 10 and there is no output. I also turned on
>> insecureBasic
>> to see if that would work and it's exactly the same as before.(Yes, I
>> restarted JBoss after I deployed the change.)
>>
> I never heard that it ever worked with non MS OS. I think FireFox have an
> integrated code which uses some Windows OS calls to prepare the hashed
> password for the 3rd response in the handshake.
> 
> 
>>
>> The second situation is that IE fails to login. This is limited to about
>> 5
>> machines and if they use Firefox, they can login. I also turned the
>> logging
>> to 10 and the communication from the browser stopped after the second
>> request/response and just never sent the request for step 3 in the
>> negotiation. It then displays the IE error page.
>> We tried to set the DisableNTLMPreAuth describes in the FAQ and that
>> didn't
>> work. We haven't tried adding the website to the local intranet trusted
>> sites ... but I don't have that in my IE and mine works.
>>
> Hmm, I think you should start by using WireShark and write down the
> packets
> sent and received between the internet explorer (client) computer and your
> JBoss.
> Once I have that I can continue on to help you out.
> 
> 
> 
>>
>> So, I am not sure what to do to debug these problems. Here is my config :
>> jcifs 1.3.8
>> Authenticating against a Win2k3 server
>> <filter>
>>  <filter-name>NtlmHttpFilter</filter-name>
>>  <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
>>
>>  <init-param>
>>   <param-name>jcifs.http.domainController</param-name>
>>   <param-value>OMITTED</param-value>
>>  </init-param>
>>  <init-param>
>>   <param-name>jcifs.http.controllerTimeout</param-name>
>>   <param-value>20</param-value>
>>  </init-param>
>>  <init-param>
>>   <param-name>jcifs.util.loglevel</param-name>
>>   <param-value>10</param-value>
>>  </init-param>
>>  <!--
>>                always needed for preauthentication / SMB signatures
>>        -->
>>  <init-param>
>>   <param-name>jcifs.smb.client.domain</param-name>
>>   <param-value>MYDOMAIN</param-value>
>>  </init-param>
>>    <init-param>
>>        <param-name>jcifs.smb.client.username</param-name>
>>        <param-value>someuser</param-value>
>>    </init-param>
>>    <init-param>
>>        <param-name>jcifs.smb.client.password</param-name>
>>        <param-value>somepassword</param-value>
>>    </init-param>
>>  </filter>
>>
>> Any help would be greatly appreciated. TIA
>> --
>> View this message in context:
>> http://www.nabble.com/Need-help-with-failed-logins-tp22971401p22971401.html
>> Sent from the Samba - jcifs mailing list archive at Nabble.com.
>>
>>
> 
> 

-- 
View this message in context: http://www.nabble.com/Need-help-with-failed-logins-tp22971401p22993802.html
Sent from the Samba - jcifs mailing list archive at Nabble.com.

More information about the jcifs mailing list