[jcifs] Random "Internet Explorer Cannot display the Web page" on Windows 2008 server, IE 7 and Tomcat 6

Mon Nov 2 15:18:39 MST 2009

pardesh wrote:
> Michael B Allen <ioplex <at> gmail.com> writes:
> 
>> Your response is totally false.
>>
>> All versions of Windows fully support both NTLMv1 and NTLMv2. Windows
>> 2008 and Windows 7 just use NTLMv2 by default.
>>
>> JCIFS fully supports both NTLMv1 and NTLMv2 as a client. As a server
>> it does not support NTLM or any other authentication protocol at all
>> (although there is hack that allows it to validate NTLMv1 hashes as a
>> server that is in the process of being removed from the JCIFS
>> package).
>>
>> Mike
> 
> Mike,
> 
> What might be the cause for this random error page? Is the transport socket 
> being closed occasinally causing this issue?
> 

Pardesh, and Joseph, and Venuganan (?),

I am not the authority in this subject.  Michael is the authority.  But 
he is probably so tired of answering these same kinds of questions all 
the time, since a long time, that I am trying to help him out here.

The point is :

there is

- the jCIFS package : that is a Java client package, which (as far as I 
understand it) allows one to write Java program that will talk to MS 
file servers etc.. through the SMB protocol, to share files, copy them 
etc... In the process, *as a client*, that package is also able to 
authenticate itself vis-a-vis these MS servers.
That package works, is supported, continues to be developed, can be used 
with MS servers requiring all kinds of NTLM client authentication.

and then there is (a very different thing)

- a "hack" that existed at some point, which is a Java servlet filter 
called "jCIFS NTLM HTTP* something, which basically *is not developed 
and not supported anymore*.  That module, in limited circumstances and 
for NTLMv1 authentication only, at some point in the past was kind of a 
solution which, for browsers accessing a webapp, was "faking" a MS 
authentication server, and allowed to retrieve the MS Domain user-id 
under which the browser's workstation was logged in, and pass it to 
Tomcat as a user-id.

I have used that module myself in the past, up to the point about 2 
years ago, when I started to experience some problems with it.
The problems had to do with the fact that NTLMv2 is becoming the 
standard in Windows networks authentication, and that this servlet 
filter *does not support NTLMv2 and can not support it*.  It can not 
support it, because NTLMv2 was specifically designed to forbid the kind 
of "man in the middle" trick that this servlet filter used.
(In other words, that servlet exploited a weakness of NTLMv1, which 
NTLMv2 corrected.)
All recent versions of Windows (workstations and servers) default to NTLMv2.
So, if in your network there is one Vista station, or one Windows 2003 
or higher domain controller, the default for them is to be set to accept 
only NTLMv2, and you will (occasionally or all the time) have problems 
with this servlet.  These problems will manifest themselves as failures 
to authenticate, broken connections or whatever.  But nobody is going to 
help analyse or fix these problems.

So, you are welcome to keep losing your time with this servlet filter, 
and it may still work in some limited cases (like if you have only 
Windows XP stations and Win2K servers, and all are using NTLMv1), but in 
the end you will be faced with the fact that it does not work anymore 
nowadays in a general sense, and that nobody is going to fix it.

So, my recommendation to all of you, is to look for some other software 
which does the same thing and works with NTLMv2.
Jespa, indicated on the page, is one product that works.

Jespa is free to test, and remains free for up to 25 domain users.