[jcifs] Occasionally NTLM Filter fails...And Here's Why

Michael B Allen ioplex at gmail.com
Tue May 19 15:13:18 GMT 2009

I do not normally answer JCIFS HTTP filter questions but when someone
posts a "fix" like the OP's patch I figure I better step in and remind
people that the JCIFS HTTP Authentication Filter is irreversibly
broken and will be removed from the JCIFS library:


But to explain the problem in this thread more directly: The patch
cited in the original post is obsolete. You can set
jcifs.smb.client.ssnLimit = 1 and get precisely the same effect
without changing any code. I believe I explained that to the person
that originally posted that patch and I believe they confirmed that
ssnLimit = 1 worked (although I do not really pay much attention to
anything about the HTTP filter so I could be mistaken).

The reason that the OP is seeing the filter fail "occasionally" is
(probably) because the transport is closing in the middle of an NTLM
exchange with the domain controller. And because the acceptor (the web
server) is not generating the challenge itself (like it would in a
proper NTLMSSP acceptor), it cannot simply retry the communication
with the DC when it looses the link. This is the "hiccup bug" cited in
the link above.

The reason creating separate transports for each authentication (using
the ssnLimit = 1 or that patch) works is because it just creates a new
transport with each authentication so there is no connection to get
dropped (although a network glitch could still interrupt the NTLM
exchange in which case again, unlike a proper NTLMSSP acceptor, there
would be no way to recover). For very small websites this might work
well enough but it will not scale. Creating a transport for each
authentication wastes an enormous amount of resources.

Well I've met my HTTP filter question quota for the year. Horrah!


On Tue, May 19, 2009 at 6:47 AM, Andrew Murphy
<amurphy at halogensoftware.com> wrote:
> These are the parameters that we use:
> jcifs.smb.client.domain
> jcifs.http.domainController
> jcifs.smb.client.username
> jcifs.smb.client.password
> jcifs.util.loglevel
> jcifs.smb.lmCompatibility
> jcifs.smb.client.useExtendedSecurity
> We have found that these will only support a single Windows Domain.  Perhaps you should reply with the settings, type of environment and what errors you may be getting?
> Andrew Murphy
> Lead Developer, Technical Services
> -----Original Message-----
> From: jcifs-bounces+amurphy=halogensoftware.com at lists.samba.org [mailto:jcifs-bounces+amurphy=halogensoftware.com at lists.samba.org] On Behalf Of shivsn
> Sent: Monday, May 18, 2009 9:30 AM
> To: jcifs at lists.samba.org
> Subject: RE: [jcifs] Occasionally NTLM Filter fails...Please Help.
> Hi Andrew,
> I tried with jcifs version 1.3.8 and the 2 parameters you suggseted. But it
> does not help. I am unable to get hold of jar file for jcifs version 1.3.3.
> Can you please upload the same here.
> Also, can you please confirm all the jcifs parameters you are using in your
> case.
> Thanks,
> Shiv.
> shivsn wrote:
>> Many thanks Andrew. I will try with 1.3.8 version which seems to be the
>> latest one now and the the 2 parameters you have mentioned below and
>> feedback. Thanks again.
>> Shiv.
>> Andrew Murphy-5 wrote:
>>> We found that this problem was solved by upgrading the version of the
>>> JCIFS jar to the latest (at the time) of 1.3.3.  But when we did that, we
>>> had to implement the two extra parameters in the initialization:
>>> jcifs.smb.lmCompatibility=0 and
>>> jcifs.smb.client.useExtendedSecurity=false.
>>> Hope that is helpful for you.
>>> Andrew Murphy
>>> Lead Developer, Technical Services
>>> -----Original Message-----
>>> From: jcifs-bounces+amurphy=halogensoftware.com at lists.samba.org
>>> [mailto:jcifs-bounces+amurphy=halogensoftware.com at lists.samba.org] On
>>> Behalf Of shivsn
>>> Sent: Thursday, May 14, 2009 10:42 AM
>>> To: jcifs at lists.samba.org
>>> Subject: Re: [jcifs] Occasionally NTLM Filter fails...Please Help.
>>> Hello Andrew,
>>> Did you find a solution to this issue. We are facing exactly the same
>>> problem as yours. We are on jcifs version 1.2.17. Please help.
>>> Thanks,
>>> Shiv.
>>> Andrew Murphy-5 wrote:
>>>> Ti Lian Hwang <lian_hwang.ti <at> fairprice.com.sg> writes:
>>>>> Please refer
>>>>> to
>>>>> http://lists.samba.org/archive/jcifs/2008-January/007602.html
>>>>> which has worked for me ever
>>>>> since.
>>>> Is there no other way to accomplish this without having to modify the
>>>> JCIFS
>>>> source classes?  Its convenient to stay on the released versions as
>>>> opposed to
>>>> having to maintain a separate source.
>>>> I was more wondering about a configuration change that we might do on
>>>> the
>>>> Domain Controller server so that it doesn't worry about the unicode
>>>> password
>>>> not being present.  Or some jcifs property that would ensure that the
>>>> unicode
>>>> password is always included.
>>>> I forgot to mention that we are using the 1.2.13 version of the jcifs
>>>> jar
>>>> file.
>>>> Thanks again.
>>>> Andrew

Michael B Allen
Java Active Directory Integration

More information about the jcifs mailing list