[jcifs] Random "Internet Explorer Cannot display the Web page" on Windows 2008 server, IE 7 and Tomcat 6
André Warnier
aw at ice-sa.com
Mon Nov 2 15:18:39 MST 2009
pardesh wrote:
> Michael B Allen <ioplex <at> gmail.com> writes:
>
>> Your response is totally false.
>>
>> All versions of Windows fully support both NTLMv1 and NTLMv2. Windows
>> 2008 and Windows 7 just use NTLMv2 by default.
>>
>> JCIFS fully supports both NTLMv1 and NTLMv2 as a client. As a server
>> it does not support NTLM or any other authentication protocol at all
>> (although there is hack that allows it to validate NTLMv1 hashes as a
>> server that is in the process of being removed from the JCIFS
>> package).
>>
>> Mike
>
> Mike,
>
> What might be the cause for this random error page? Is the transport socket
> being closed occasinally causing this issue?
>
Pardesh, and Joseph, and Venuganan (?),
I am not the authority in this subject. Michael is the authority. But
he is probably so tired of answering these same kinds of questions all
the time, since a long time, that I am trying to help him out here.
The point is :
there is
- the jCIFS package : that is a Java client package, which (as far as I
understand it) allows one to write Java program that will talk to MS
file servers etc.. through the SMB protocol, to share files, copy them
etc... In the process, *as a client*, that package is also able to
authenticate itself vis-a-vis these MS servers.
That package works, is supported, continues to be developed, can be used
with MS servers requiring all kinds of NTLM client authentication.
and then there is (a very different thing)
- a "hack" that existed at some point, which is a Java servlet filter
called "jCIFS NTLM HTTP* something, which basically *is not developed
and not supported anymore*. That module, in limited circumstances and
for NTLMv1 authentication only, at some point in the past was kind of a
solution which, for browsers accessing a webapp, was "faking" a MS
authentication server, and allowed to retrieve the MS Domain user-id
under which the browser's workstation was logged in, and pass it to
Tomcat as a user-id.
I have used that module myself in the past, up to the point about 2
years ago, when I started to experience some problems with it.
The problems had to do with the fact that NTLMv2 is becoming the
standard in Windows networks authentication, and that this servlet
filter *does not support NTLMv2 and can not support it*. It can not
support it, because NTLMv2 was specifically designed to forbid the kind
of "man in the middle" trick that this servlet filter used.
(In other words, that servlet exploited a weakness of NTLMv1, which
NTLMv2 corrected.)
All recent versions of Windows (workstations and servers) default to NTLMv2.
So, if in your network there is one Vista station, or one Windows 2003
or higher domain controller, the default for them is to be set to accept
only NTLMv2, and you will (occasionally or all the time) have problems
with this servlet. These problems will manifest themselves as failures
to authenticate, broken connections or whatever. But nobody is going to
help analyse or fix these problems.
So, you are welcome to keep losing your time with this servlet filter,
and it may still work in some limited cases (like if you have only
Windows XP stations and Win2K servers, and all are using NTLMv1), but in
the end you will be faced with the fact that it does not work anymore
nowadays in a general sense, and that nobody is going to fix it.
So, my recommendation to all of you, is to look for some other software
which does the same thing and works with NTLMv2.
Jespa, indicated on the page, is one product that works.
Jespa is free to test, and remains free for up to 25 domain users.
More information about the jCIFS
mailing list